ClawHub
Back to skill
v1.0.0

TickTick Tasks

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 4:52 AM.

Analysis

This is a coherent TickTick task-management skill, but users should verify the external TickTick CLI before authorizing it because it can change or delete tasks.

GuidanceThis skill appears purpose-aligned for managing TickTick tasks. Before installing or using it, make sure the `ticktick` and `ticktick-setup` commands come from a trustworthy source, authorize only the TickTick app you created, and review any complete or delete action before approving it.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation
SeverityLowConfidenceHighStatusNote
SKILL.md
ticktick complete <project_id> <task_id>

ticktick delete <project_id> <task_id>

The documented commands can complete or delete tasks in the user's TickTick account. This is purpose-aligned, but it is still a mutating action.

User impactA mistaken command or wrong task ID could mark the wrong task complete or delete it.
RecommendationReview task and project IDs before approving complete or delete operations, especially for important tasks.
Agentic Supply Chain Vulnerabilities
SeverityLowConfidenceHighStatusNote
install spec
No install spec — this is an instruction-only skill.

The skill tells users to run `ticktick-setup` and `ticktick` commands, but the artifacts do not provide the command implementation, package source, or pinned installation path.

User impactUsers need to obtain the CLI separately, so trust depends on the provenance of whatever `ticktick` command is installed locally.
RecommendationInstall the TickTick CLI only from a trusted source and verify which executable will run before entering OAuth credentials.
Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse
SeverityLowConfidenceHighStatusNote
SKILL.md
ticktick-setup <client_id> <client_secret>

The setup flow asks the user to provide OAuth app credentials and authorize access to TickTick, which is expected for this integration but grants account-level access to the task service.

User impactAuthorizing the CLI may let it read and modify TickTick tasks according to the OAuth permissions granted.
RecommendationOnly authorize an app and CLI source you trust, and revoke the TickTick OAuth grant if you stop using the skill.