Dida365 Cli
WarnAudited by ClawScan on May 10, 2026.
Overview
This is a coherent Dida365 task-management CLI wrapper, but it needs review because it asks for a Dida365 cookie, uses unofficial private APIs, and runs an unpinned external npm CLI with broad account-changing powers.
Install only if you trust and have verified the exact npm package and source repository. Treat the Dida365 cookie like a password, use a temporary/revocable session if possible, and do not let the agent run delete, merge, move, or batch commands without your explicit confirmation.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Following the setup could run unreviewed npm code, and a package-name mismatch or compromised package could access the user's Dida365 session credential.
The recommended npx command would target a package named `dida365`, while the global install uses `dida365-ai-tools`; no version pin, install spec, or reviewed code is provided. Because this external CLI later receives the account cookie, package provenance matters.
# npx(推荐) npx dida365 <command> [options] # 或全局安装后 npm install -g dida365-ai-tools
Verify the exact npm package and GitHub source before use, pin a trusted version, and prefer an install spec or reviewed source hash for the CLI that will handle credentials.
Anyone or any code that can use the stored cookie may be able to read or change the user's Dida365 account data as the user.
A Dida365 cookie is a high-impact session credential, and the skill explicitly uses unofficial private APIs for broader coverage. The artifact does not define credential scope, storage, revocation, or a least-privilege authorization model.
使用前必须先设置 Cookie 认证。 dida365 auth cookie <token> # 设置 Cookie token 完成认证 ... 本项目选择使用私有 API + Cookie 认证,覆盖更全面、配置更简单。
Use only a temporary or easily revocable cookie after reviewing the CLI, revoke it after use when possible, and prefer the official scoped Open API/OAuth flow for safer authorization.
A mistaken command or over-broad agent action could delete or reorganize tasks, tags, projects, or folders in the user's Dida365 account.
The CLI exposes delete, merge, move, and batch account-mutation commands. These are purpose-aligned for task automation, and some are marked dangerous/confirmation-required, but they remain high-impact actions.
dida365 task delete <projectId> <taskId> ... dida365 batch delete-tasks <taskId1:projectId1> [taskId2:projectId2 ...] ... dida365 batch delete-projects <projectId1> [projectId2 ...] # 危险,需确认 ... dida365 tag delete <name1> [name2...]
Require explicit user confirmation for all destructive or bulk operations, review IDs before execution, and test non-destructive list/show commands first.