ClawHub
Back to skill
v1.0.0

dida365-ticktick-agent

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 6:24 AM.

Analysis

This skill matches its task-management purpose, but it asks you to install an unreviewed global npm tool and give it a TickTick/Dida365 session cookie or API secrets.

GuidanceTreat this as a review-before-install skill. Its purpose is coherent, but before using it you should verify the `dida365-ai-tools` npm package, understand where it stores your cookie, prefer official scoped credentials over a browser session cookie, and only allow task creation/completion after you review the intended command.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Agentic Supply Chain Vulnerabilities
SeverityMediumConfidenceHighStatusConcern
SKILL.md
npm install -g dida365-ai-tools

The skill directs users to install an unpinned global npm package that is not included in the reviewed artifacts and is not backed by a source/homepage in the supplied metadata.

User impactYou would be running external package code globally on your machine before giving it access to your task account.
RecommendationVerify the npm package and maintainer, prefer a pinned version and reviewed source, and avoid entering credentials until the package provenance and behavior are clear.
Tool Misuse and Exploitation
SeverityLowConfidenceHighStatusNote
SKILL.md
dida365 task create "<标题>" -p <projectId> ... dida365 task complete <projectId> <taskId> ... dida365 sync all

The CLI command catalog includes task mutation and full synchronization actions. These are expected for a task-management skill, but they can change account data.

User impactIf invoked incorrectly, the tool could create, complete, or sync tasks in your account.
RecommendationReview commands before running them, confirm project and task IDs, and avoid allowing automatic task changes unless you are comfortable with the scope.
Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse
SeverityHighConfidenceHighStatusConcern
SKILL.md
复制 **t** cookie 的值 ... export DIDA365_CLIENT_SECRET="你的_client_secret" ... dida365 auth cookie "你的cookie值"

The skill asks the user to provide a browser session cookie and API client secret to the CLI, while the registry metadata declares no required credentials or environment variables.

User impactA session cookie or client secret can give the tool access to your Dida365/TickTick account and allow it to read or modify tasks.
RecommendationUse the least-privileged official authentication method where possible, avoid sharing browser session cookies with unreviewed tools, and revoke or rotate credentials if you test it.