Ticktick Cli
PassAudited by ClawScan on May 10, 2026.
Overview
This appears to be a purpose-aligned TickTick CLI, but it stores OAuth tokens locally and can read or modify your TickTick tasks and projects.
Use this only if you want an agent/CLI to read and modify your TickTick tasks and projects. Protect ~/.clawdbot/credentials/ticktick-cli/config.json, revoke the TickTick app if access is no longer needed, and require confirmation before any update, complete, abandon, batch, or project-change command. Also verify Bun/dependency setup and the publisher provenance because the install metadata is incomplete.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone who can read that file may be able to access or modify the user's TickTick tasks through the authorized app.
The skill stores OAuth client credentials and access/refresh tokens locally in plaintext, granting ongoing access to the user's TickTick account.
Tokens are stored in `~/.clawdbot/credentials/ticktick-cli/config.json` ... "clientSecret" ... "accessToken" ... "refreshToken" ... Note: Credentials are stored in plaintext.
Install only if you trust this skill with TickTick task access, protect the credential file, use a dedicated TickTick developer app if possible, and revoke the app or delete the credential file if you no longer use it.
If an agent runs the wrong command or uses the wrong task ID, tasks or projects in TickTick could be changed unexpectedly.
The documented CLI can create, update, complete, and bulk-abandon tasks, which are account-mutating operations.
bun run scripts/ticktick.ts task "Buy groceries" --list "Personal" ... bun run scripts/ticktick.ts complete "Buy groceries" ... bun run scripts/ticktick.ts batch-abandon <taskId1> <taskId2> <taskId3>
Require explicit confirmation before update, complete, abandon, batch-abandon, or project-update commands, and prefer project/task IDs with JSON output to reduce ambiguity.
A user may need to resolve runtime dependencies outside the declared install contract, and exact dependency versions are not fixed by a lockfile in the provided artifacts.
The skill depends on external packages with semver ranges, while the registry lists no install spec or required binaries even though the documented commands use Bun.
"dependencies": { "commander": "^12.0.0", "open": "^10.0.0" }Verify the package source and dependency versions before running, and install dependencies from trusted registries in a controlled environment.
The mismatch does not show malicious behavior, but it makes the package lineage less clear.
The embedded metadata does not match the registry listing's owner ID and slug for ticktick-cli, creating a packaging/provenance inconsistency.
"ownerId": "kn75gkrc5mkhng2krphfv76brn7ynt1t", "slug": "ticktick"
Treat the source as unverified unless the publisher can explain the metadata mismatch or provide a trusted repository/release history.