Dida365 Openapi
v1.0.0基于滴答清单(Dida365)官方 OpenAPI 和 OAuth2 的任务管理 Skill,直连 dida365.com,不经过任何第三方服务,你的数据只在本地和滴答清单服务器之间传输。零第三方依赖,纯 Python 标准库实现。完整覆盖项目与任务的增删改查、完成、移动、筛选,支持标签、提醒、重复规则等丰富功能...
⭐ 1· 115·1 current·1 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name/description promise an OAuth2-backed CLI for Dida365 and the package includes an OAuth helper, an API client, HTTP layer, config persistence, and a CLI. The required env vars (DIDA365_CLIENT_ID and DIDA365_CLIENT_SECRET) are appropriate and expected for this purpose.
Instruction Scope
SKILL.md instructs the agent to run the bundled Python CLI which implements OAuth flows, project/task CRUD, and input validation. The CLI runs a local HTTP listener for the localhost OAuth callback and persists config and token files under ~/.config/dida365-openapi/. This behavior is expected for an OAuth CLI, but note the client_secret and access_token are persisted locally (config.json and token.json).
Install Mechanism
No install spec; code is pure Python and claims zero third-party dependencies and uses the standard library (urllib, http.server, etc.). No remote downloads or package installers are invoked by the skill bundle.
Credentials
The skill requires only DIDA365_CLIENT_ID and DIDA365_CLIENT_SECRET. The code also optionally reads other DIDA365_* env vars (e.g. DIDA365_REDIRECT_URI, DIDA365_ACCESS_TOKEN, DIDA365_AUTH_BASE_URL, DIDA365_API_BASE_URL) as documented in references; those are optional and sensible. Storing client_secret and access_token locally is implemented and the code redacts secrets when printing status, but the config/token files will contain sensitive values unless the user omits them.
Persistence & Privilege
always is false and the skill does not request system-wide privileges. It persists its own config and token files under an XDG config path (~/.config/dida365-openapi/) with file permission handling (path parent set to 0700 and token file to 0600 on non-Windows). It does not modify other skills or global agent settings.
Assessment
This skill appears to do what it says: a local Python CLI that calls the official Dida365 OpenAPI. Before installing, consider: 1) Only provide a Dida365 OAuth app's client_id/client_secret that you control or trust; the skill will persist client_secret and the access_token to ~/.config/dida365-openapi/config.json and token.json. 2) The CLI uses a localhost callback (defaults to http://127.0.0.1:36500/callback) — make sure that port is acceptable in your environment. 3) The skill does not auto-refresh tokens in v1, so reauthorization may be necessary when tokens expire. 4) Optional env vars (DIDA365_REDIRECT_URI, DIDA365_ACCESS_TOKEN, DIDA365_API_BASE_URL, etc.) are supported — review them if you plan to override defaults. If you need extra assurance, inspect the bundled scripts (they're included) or run the CLI audit commands (auth status) before using it with real account data.Like a lobster shell, security has layers — review code before you run it.
latestvk974mx5an6n7qwpynx819h45pn83d1ef
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
Binspython
EnvDIDA365_CLIENT_ID, DIDA365_CLIENT_SECRET