Dida365 Cli
v3.0.3使用 Node.js CLI 管理滴答清单(Dida365)的任务、项目、标签等,支持已完成任务按日期查询、全量同步、标签管理、批量操作等,适用于日常任务管理与自动化场景。
⭐ 5· 971·5 current·5 all-time
by@oymy
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description match the runtime instructions: the document describes a Node.js CLI for Dida365 and lists commands and private API endpoints consistent with that purpose. However, registry metadata lists no homepage/source while SKILL.md includes a GitHub link and an npm package name (dida365-ai-tools) — the lack of an authoritative source entry in the registry is a minor inconsistency.
Instruction Scope
The SKILL.md tells users/agents to run npx or npm to fetch and run a remote CLI, and to provide a Cookie token via 'dida365 auth cookie <token>'. Asking for a session cookie (a sensitive authentication artifact) and instructing to run remote code increase the risk of credential exposure or unexpected behavior. The instructions also include destructive operations (delete task/project) which are expected but dangerous if run without confirmation. The skill does not explicitly state where the cookie comes from, how it is stored, or what the CLI does with it.
Install Mechanism
There is no explicit install spec in the skill bundle; instead SKILL.md recommends 'npx dida365' or 'npm install -g dida365-ai-tools'. Using npx/npm is common and traceable to the npm registry/GitHub, but it still causes remote code to be downloaded and executed at runtime. Because the skill does not pin or verify a specific package source/version in the registry metadata, this is a moderate risk and requires the user to verify the npm package and repository before executing.
Credentials
The skill declares no required environment variables or config paths (coherent), but it depends on a session Cookie for authentication. Requiring the user's session cookie is proportionate to a private-API-based CLI, but cookies are highly sensitive and can grant full account access; the skill does not provide guidance for scoping or safely obtaining a limited credential (e.g., using an API token or a throwaway account).
Persistence & Privilege
The skill is not always-enabled and is user-invocable (normal). It does not request system-wide config access or other skills' credentials. There is no indication it requires elevated or persistent platform privileges.
What to consider before installing
This skill's instructions are consistent with a CLI that talks to Dida365 via private APIs, but it asks you to download and run code from npm (via npx/npm) and to supply your session Cookie. Before installing or running it: 1) Inspect the npm package and the linked GitHub repo (https://github.com/oymy/dida365-ai-tools) to confirm the code is legitimate and review how it stores/transmits your cookie; 2) Prefer using a scoped API token or a throwaway account if possible—do not paste your primary session cookie unless you trust the package and maintainer; 3) Verify the package version and publisher on the npm registry; 4) Be cautious with destructive commands (delete, batch delete) and back up important data; 5) If you need higher assurance, request an explicit install spec or a packaged binary from a verified source, or use the official Open API and developer app flow instead. Additional information that would raise confidence: a registry homepage/source field, a pinned package version in the skill metadata, and explicit guidance on how the CLI stores and transmits authentication tokens.Like a lobster shell, security has layers — review code before you run it.
latestvk979hvc4b2p0rnkv37539yervs817yv8
License
MIT-0
Free to use, modify, and redistribute. No attribution required.