Security audit

TickTick CLI

Security checks across malware telemetry and agentic risk

Overview

This is a legitimate TickTick command-line skill, but it can read and change TickTick tasks and stores OAuth secrets locally.

Install only if you are comfortable giving this skill read/write access to your TickTick tasks and projects. Protect the plaintext config file, avoid storing secrets in TickTick task text, prefer project filters and task IDs, and require explicit user approval before mutations such as complete, abandon, batch-abandon, or project updates.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Rogue AgentSelf-Modification, Session Persistence
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection

Findings (5)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 90% confidence
Finding: The skill documents shell execution and outbound network access but does not declare permissions or provide an explicit trust boundary for those capabilities. In an agent setting, this can cause the tool to be invoked with more power than expected, increasing the risk of unintended external actions or command execution.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The skill exposes destructive operations such as complete, abandon, and batch-abandon without an explicit warning, confirmation step, or clear statement about reversibility. In an autonomous or semi-autonomous agent workflow, this raises the chance of accidental loss or unwanted modification of user task data.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The code persists client credentials, access tokens, and refresh tokens to a local JSON config file on disk. Although file permissions are restricted to 0600/0700, storing long-lived secrets in plaintext increases exposure to local compromise, backup leakage, malware, or accidental disclosure, and the code does not clearly warn users about this sensitive storage behavior.

Missing User Warnings

Medium

Confidence: 87% confidence
Finding: The manual auth flow tells the user to paste the full redirect URL, which contains the authorization code and state, into the CLI. That code is sensitive authentication material until exchanged, and asking users to handle it manually increases the chance of leakage through shell history, terminal logs, screenshots, clipboard managers, or social engineering.

Session Persistence

Medium

Category: Rogue Agent
Content: ### 1. Register a TickTick Developer App 1. Go to [TickTick Developer Center](https://developer.ticktick.com/manage) 2. Create a new application 3. Set the redirect URI to `http://localhost:8080` 4. Note your `Client ID` and `Client Secret`
Confidence: 92% confidence
Finding: Create a new application 3. Set the redirect URI to `http://localhost:8080` 4. Note your `Client ID` and `Client Secret` ### 2. Authenticate ```bash # Set credentials and start OAuth flow bun run sc

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal