ticktick-calendar

The skill's code, runtime instructions, and requested environment variables are coherent with a TickTick OAuth + task/project integration — nothing in the bundle shows unexplained or malicious behavior, though it persists OAuth tokens to disk and can optionally POST to a user-configured webhook.

This skill appears to do what it says: an OAuth2 client + TickTick API wrapper. Before installing, consider the following: 1) The skill persists OAuth tokens to a token file in your home directory (default ~/.config/ticktick/token.json). Those tokens are sensitive — only install if you trust the skill and its owner. 2) The skill can optionally POST a reauthorization notification to any HTTPS URL you set in TICKTICK_REAUTH_WEBHOOK_URL — do not set this unless you control or trust the receiver, as it will receive the auth URL and related metadata. 3) The package expects built artifacts under dist (skill-entry and CLI import ../dist/src/index.js). Build (npm run build) and run tests locally before using it in production. 4) Limit the env vars you provide to only the TickTick app you register for this integration; if you suspect misuse, rotate/revoke the client secret in the TickTick app settings and delete the token file. If you want extra assurance, review the token-manager and skill-entry code (they are included) to confirm there are no unexpected external endpoints or logging of secrets.