ClawHub

Ticktick Cli

Security checks across malware telemetry and agentic risk

Overview

This TickTick CLI skill appears to do what it says: authenticate with TickTick and let the agent manage TickTick tasks, with local credential storage that users should understand before installing.

Before installing, understand that this skill can access and change your TickTick tasks and projects through your authorized TickTick account. Keep the local credential file private, avoid using it on shared or untrusted machines, and revoke the TickTick developer app or tokens if you stop using the skill.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Rogue AgentSelf-Modification, Session Persistence
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Lp3

Medium
Category
MCP Least Privilege
Confidence
90% confidence
Finding
The skill documentation describes shell execution and outbound network access, but no declared permissions are present to inform users or policy systems about those capabilities. This creates a real security transparency issue because the skill handles OAuth credentials and performs remote API actions, increasing the chance of unintended secret exposure or unauthorized external operations.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The code persists client secrets, access tokens, and refresh tokens in a local JSON file under the user's home directory. Although permissions are restricted to 0600/0700, storing long-lived OAuth material in plaintext on disk increases exposure to local compromise, backups, malware, or accidental disclosure, and there is no user-facing warning or use of an OS-backed secret store.

Session Persistence

Medium
Category
Rogue Agent
Content
### 1. Register a TickTick Developer App

1. Go to [TickTick Developer Center](https://developer.ticktick.com/manage)
2. Create a new application
3. Set the redirect URI to `http://localhost:8080`
4. Note your `Client ID` and `Client Secret`
Confidence
96% confidence
Finding
Create a new application 3. Set the redirect URI to `http://localhost:8080` 4. Note your `Client ID` and `Client Secret` ### 2. Authenticate ```bash # Set credentials and start OAuth flow bun run sc

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal