ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

ticktick-official-cli

v1.0.1

使用官方 Dida365 OAuth 与 Open API 管理滴答清单(项目/任务查询、创建、更新、完成、删除)。当用户要求安全地直连 dida365.com(不经过第三方 OAuth 中转)时使用。

0· 440·0 current·0 all-time
bywhaaatsup@superowenx
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description claim: use official Dida365 OAuth and Open API to manage TickTick (Dida365) tasks — the included scripts implement an OAuth flow, token exchange, local callback listener, and an API client against api.dida365.com. There are no unexpected third-party services or unrelated credentials requested in the code. Network calls are limited to dida365.com / api.dida365.com, consistent with the stated purpose.
Instruction Scope
SKILL.md instructs the user (and agent) to run the bundled scripts in the skill directory, create a Dida365 app, perform setup/login, and use the CLI for project/task operations. The scripts implement a local HTTP callback listener for OAuth and save an access token to ~/.config/ticktick-official/token.env. They also support reading a JSON file when using --item-json with a leading '@'. These behaviors are expected for an OAuth client, but they do mean the skill will read files the user explicitly points to and persist tokens to the user's home config directory.
Install Mechanism
No install spec (instruction-only) and no remote download. All code is bundled with the skill. Dependencies are declared inside script headers (httpx, typer, pydantic, rich) which is reasonable for a Python CLI interacting with HTTP. There are no suspicious external installers or obscure download URLs.
!
Credentials
Registry metadata lists no required env vars or primary credential, but the code and SKILL.md clearly use/mention environment variables and local config files: TICKTICK_CLIENT_ID, TICKTICK_CLIENT_SECRET, TICKTICK_REDIRECT_URI, TICKTICK_TOKEN, TICKTICK_BASE_URL, and the token/app env files under ~/.config/ticktick-official/. The skill will persist an access token to ~/.config/ticktick-official/token.env. The omission of these environment/config requirements from the registry metadata is an inconsistency (likely benign/oversight) but worth calling out because you should be aware the skill handles OAuth credentials and stores a token on disk.
Persistence & Privilege
The skill writes persistent files under the user's home config directory (~/.config/ticktick-official/), including the OAuth token and optional saved app credentials. always is false and the skill does not modify other skills or system-wide configs. Persistent storage of an access token is expected for an OAuth CLI, but users should know the token file exists and can be deleted if desired.
Assessment
This skill appears to be what it claims: a local CLI that uses Dida365's OAuth and Open API. Before installing or running it, consider: 1) the skill will prompt you to provide a Dida365 client_id and client_secret and may save them (app.env) and an access token (token.env) under ~/.config/ticktick-official/ — review or remove those files if you stop using the skill; 2) the registry metadata did not declare the env vars or token file locations even though the scripts use them — treat this as a documentation/metadata omission and confirm you supply credentials only to the official developer console (https://developer.dida365.com) and that the authorization URLs are dida365.com/api.dida365.com; 3) the skill launches a local HTTP listener to receive the OAuth callback (localhost/127.0.0.1) — ensure that port is acceptable and not blocked; 4) if you do not trust the source, inspect the bundled scripts yourself (they are included) before running. If you want higher assurance, verify the code signatures or obtain the tool from an official upstream repository.

Like a lobster shell, security has layers — review code before you run it.

clivk97f3shm5wv9m1ydrv26t96pmh823k1vdida365vk97f3shm5wv9m1ydrv26t96pmh823k1vlatestvk97f3shm5wv9m1ydrv26t96pmh823k1voauthvk97f3shm5wv9m1ydrv26t96pmh823k1vopenclaw-skillvk97f3shm5wv9m1ydrv26t96pmh823k1vproductivityvk97f3shm5wv9m1ydrv26t96pmh823k1vtask-managementvk97f3shm5wv9m1ydrv26t96pmh823k1vticktickvk97f3shm5wv9m1ydrv26t96pmh823k1v

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments