dida365-ticktick-agent
Security checks across static analysis, malware telemetry, and agentic risk
Overview
The skill’s task-management purpose is coherent, but it asks you to install an unreviewed global npm tool and give it a Dida365 session cookie, so it should be reviewed before use.
Only install this if you trust and have verified the dida365-ai-tools npm package. Treat the Dida365 cookie like a password: do not paste it into tools you have not inspected, and revoke or rotate it if you stop using the skill.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone or anything with access to that saved cookie may be able to access or change your Dida365 account data.
The skill asks the user to copy a browser session cookie and save it into the CLI. That is high-impact account access, and the artifacts do not clearly define the credential storage location, lifetime, revocation path, or metadata credential declaration.
复制 **t** cookie 的值 ... dida365 auth cookie "你的cookie值"
Prefer official OAuth or least-privilege tokens when possible, verify the CLI before giving it a cookie, and know how to revoke the cookie or log out all sessions.
Installing the package globally gives unreviewed third-party code local execution opportunity and then provides it with Dida365 credentials.
The skill delegates functionality to a globally installed npm package that is not included in the reviewed artifacts. Combined with unknown source/homepage metadata and credential handling, this creates a material provenance and trust gap.
npm install -g dida365-ai-tools
Inspect and verify the npm package source, pin a known version, install in a sandbox or isolated environment, and avoid providing credentials until provenance is clear.
Incorrect commands could create, complete, or synchronize the wrong tasks.
These commands are purpose-aligned for a task-management skill, but they can mutate or broadly sync account task data.
dida365 task create "<标题>" -p <projectId> ... dida365 task complete <projectId> <taskId> ... dida365 sync all
Require explicit user confirmation for create, complete, or sync operations, especially when task or project IDs are ambiguous.