Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
滴答清单任务管理工具
v1.0.0滴答清单/TickTick 任务管理工具——创建、查看、完成、删除任务和项目。Use when user says: 创建任务、添加待办、今日任务、查看清单、完成任务、滴答清单、TickTick、TODO、待办事项、任务管理、项目管理、标记完成、删除任务、设置截止日期、任务优先级、新建项目、收集箱、inbox。
⭐ 0· 121·0 current·0 all-time
by木炭@woodcoal
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The code, README, and SKILL.md all implement a TickTick/Dida365 CLI that legitimately needs an OAuth client_id/client_secret or an access token. However the registry metadata listed 'Required env vars: none' which is incorrect: auth.py expects DIDA_CLIENT_ID and DIDA_CLIENT_SECRET (or DIDA_ACCESS_TOKEN). This metadata mismatch is inconsistent and should be corrected.
Instruction Scope
SKILL.md instructs the agent/user to populate .env, run `python3 index.py auth`, and use the CLI commands. The runtime instructions remain within the stated purpose (managing projects/tasks). The workflow explicitly warns against auto-deleting and requires user confirmation for destructive actions. The skill does read/write local files (.env, .dida-token.json, .dida-cache.json) which is expected for an OAuth CLI.
Install Mechanism
There is no install spec (instruction-only in registry), but the bundle includes Python source files. No external downloads or package managers are used. Code uses only Python stdlib and will be executed locally; no installer or remote code fetch is present.
Credentials
The code requires secrets (DIDA_CLIENT_ID and DIDA_CLIENT_SECRET or DIDA_ACCESS_TOKEN) which are appropriate for an OAuth client, but the skill metadata failed to declare them. The skill will store tokens (including refresh_token) in a local file (.dida-token.json). Requesting these credentials is proportionate to the stated purpose, but the omission in metadata and local persistence create a higher risk of accidental exposure.
Persistence & Privilege
The skill does not request always:true and does not modify other skills or system-wide settings. It persists data only to local files (.dida-token.json and .dida-cache.json) in the skill directory; this is expected for a CLI but users should be aware of local file storage and file-permissions risk.
What to consider before installing
This skill is functionally coherent for interacting with Dida365/TickTick, but note two things before installing: (1) The registry metadata incorrectly says there are no required environment variables—you must provide DIDA_CLIENT_ID and DIDA_CLIENT_SECRET (or a DIDA_ACCESS_TOKEN) for it to work. (2) The tool saves OAuth tokens and cache to files in the skill folder (.dida-token.json and .dida-cache.json) and reads .env, so treat those files as secrets: don't commit them to version control, restrict file permissions, and run in an isolated environment if you distrust the source. If you proceed, verify the client_id/client_secret come from your own developer account (developer.dida365.com), and be prepared to revoke the app/refresh token from the developer portal if you suspect compromise. If you want higher assurance, inspect the included Python files locally or run the tool inside a disposable container/VM before granting real credentials.Like a lobster shell, security has layers — review code before you run it.
latestvk979p0knej0rtyb82sc3ewsvh583bfmm
License
MIT-0
Free to use, modify, and redistribute. No attribution required.