← Back to Skills Marketplace
halr9000

Ticktick

by halr9000 · GitHub ↗ · v0.2.0 · MIT-0
cross-platform ⚠ suspicious
106
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install ticktick-enhanced
Description
Manage TickTick tasks and projects
Usage Guidance
What to consider before installing: - Runtime requirement: The code and SKILL.md assume the 'bun' runtime (shebangs and 'bun run' commands). The registry lists no required binaries. If you don't have Bun, the skill will likely fail or require manual setup. Confirm whether you are comfortable installing Bun or adjusting the skill to use your environment. - Credentials & storage: You will need to provide a TickTick OAuth client_id and client_secret during initial setup. These are stored under ~/.clawdbot/credentials/ticktick-cli/config.json (file permissions are set to be restrictive). Ensure you trust the skill author before storing OAuth credentials locally. - Metadata mismatch: The embedded _meta.json ownerId differs from the registry Owner ID. This could be an innocuous packaging oversight, but it's worth verifying the publisher/source before granting access to your TickTick account. - Dependencies & install: The repository includes package.json and package-lock.json (many npm deps). There is no install spec, so you may need to manually install dependencies or ensure Bun supports running the TypeScript files as-is. Manual installation increases risk of mistakes — prefer a skill that documents required runtime and install steps. - Local OAuth server: The skill spins up a temporary localhost server to complete OAuth. This is normal for CLI OAuth flows, but be aware it listens on 127.0.0.1:8080 during auth and will open a browser. Ensure you only accept the OAuth redirect you initiated. - Review before running: If you are not comfortable with the small inconsistencies above, ask the publisher for clarification or request a version that declares 'bun' as a required binary and confirms the ownerId/source. If you proceed, inspect the files locally (especially scripts/auth.ts and where credentials are saved) and consider running inside a controlled environment (container) first.
Capability Analysis
Type: OpenClaw Skill Name: ticktick-enhanced Version: 0.2.0 The skill bundle contains a critical shell injection vulnerability in `index.ts`, where user-provided arguments are concatenated into a command string and executed via `Bun.spawnSync` without sanitization. While the skill's logic for managing TickTick tasks via OAuth2 and the official API (`https://api.ticktick.com`) appears legitimate and well-structured, this implementation flaw allows for arbitrary command execution. The skill also handles sensitive credentials stored in `~/.clawdbot/credentials/ticktick-cli/`, which increases the impact of the execution vulnerability.
Capability Assessment
Purpose & Capability
Functionality (OAuth flow, calling api.ticktick.com, listing/creating/updating tasks/projects) matches the declared purpose. However, the skill's runtime implicitly requires the 'bun' runtime (scripts use bun shebang and SKILL.md instructs 'bun run ...') but the registry metadata lists no required binaries — that's an inconsistency. Also the package/_meta ownerId in files differs from the registry ownerId, which is unusual and worth verifying with the publisher.
Instruction Scope
SKILL.md and the code confine behavior to task/project management via the TickTick API. The instructions ask you to run an OAuth flow and the code only reads/writes config and credential files under the user's home directory (e.g., ~/.clawdbot/credentials/ticktick-cli and ~/.config/ticktick-skill) and contacts api.ticktick.com. There are no instructions to read unrelated system files or to send data to third-party endpoints beyond TickTick.
Install Mechanism
There is no install spec (instruction-only), which is low risk, but the skill ships many TypeScript files and a package.json/package-lock with dependencies. Without an install step, execution depends on the host having the appropriate runtime (Bun) and possibly those dependencies. That mismatch (no declared binary but code assuming 'bun') is a coherence issue: the skill may fail or require manual installation steps, and bundling many dependencies with no automated install increases friction and potential for user mistakes.
Credentials
The skill requests no environment variables or external credentials via registry metadata; at runtime it requires an OAuth client_id and client_secret (saved locally) to access TickTick, which is appropriate for the stated purpose. It writes tokens and config under the user's home directory with file permissions set to restrict access (mode 0700 for dir, 0600 for file), which is proportional and expected.
Persistence & Privilege
The skill does not request always:true and is user-invocable only. It stores its own credentials/config in user-local directories, creates a short-lived local HTTP server during OAuth (listening on localhost:8080) and does not modify other skills or global agent settings. These behaviors are typical for an OAuth-enabled CLI.
How to Use
  1. Make sure OpenClaw is installed (local or Docker)
  2. Run the install command in chat: /install ticktick-enhanced
  3. After installation, invoke the skill by name or use /ticktick-enhanced
  4. Provide required inputs per the skill's parameter spec and get structured output
Version History
v0.2.0
Phase 1+2 improvements: ID-mandatory operations, triage command, focus mode, config, rich output, docs. ADHD-friendly features.
Metadata
Slug ticktick-enhanced
Version 0.2.0
License MIT-0
All-time Installs 0
Active Installs 0
Total Versions 1
Frequently Asked Questions

What is Ticktick?

Manage TickTick tasks and projects. It is an AI Agent Skill for Claude Code / OpenClaw, with 106 downloads so far.

How do I install Ticktick?

Run "/install ticktick-enhanced" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Ticktick free?

Yes, Ticktick is completely free, licensed under MIT-0. You can download, install and use it at no cost.

Which platforms does Ticktick support?

Ticktick is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created Ticktick?

It is built and maintained by halr9000 (@halr9000); the current version is v0.2.0.

More Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191115 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 Comments