← Back to Skills Marketplace
superowenx

ticktick-official-cli

by whaaatsup · GitHub ↗ · v1.0.1
cross-platform ⚠ suspicious
531
Downloads
0
Stars
0
Active Installs
2
Versions
Install in OpenClaw
/install ticktick-official-cli
Description
使用官方 Dida365 OAuth 与 Open API 管理滴答清单(项目/任务查询、创建、更新、完成、删除)。当用户要求安全地直连 dida365.com(不经过第三方 OAuth 中转)时使用。
Usage Guidance
This skill appears to be what it claims: a local CLI that uses Dida365's OAuth and Open API. Before installing or running it, consider: 1) the skill will prompt you to provide a Dida365 client_id and client_secret and may save them (app.env) and an access token (token.env) under ~/.config/ticktick-official/ — review or remove those files if you stop using the skill; 2) the registry metadata did not declare the env vars or token file locations even though the scripts use them — treat this as a documentation/metadata omission and confirm you supply credentials only to the official developer console (https://developer.dida365.com) and that the authorization URLs are dida365.com/api.dida365.com; 3) the skill launches a local HTTP listener to receive the OAuth callback (localhost/127.0.0.1) — ensure that port is acceptable and not blocked; 4) if you do not trust the source, inspect the bundled scripts yourself (they are included) before running. If you want higher assurance, verify the code signatures or obtain the tool from an official upstream repository.
Capability Analysis
Type: OpenClaw Skill Name: ticktick-official-cli Version: 1.0.1 The skill is generally benign, providing legitimate integration with the Dida365 API. However, a significant prompt injection vulnerability exists in `scripts/ticktick_cli.py`. The `--item-json @path` option in `task create` and `task update` commands allows reading arbitrary local files (e.g., `@/etc/passwd`, `@~/.ssh/id_rsa`). A maliciously prompted AI agent could be instructed to read sensitive files and exfiltrate their content by including it in a task's checklist items, which are then sent to the Dida365 API. This constitutes a local file inclusion leading to data exfiltration via prompt injection.
Capability Assessment
Purpose & Capability
Name/description claim: use official Dida365 OAuth and Open API to manage TickTick (Dida365) tasks — the included scripts implement an OAuth flow, token exchange, local callback listener, and an API client against api.dida365.com. There are no unexpected third-party services or unrelated credentials requested in the code. Network calls are limited to dida365.com / api.dida365.com, consistent with the stated purpose.
Instruction Scope
SKILL.md instructs the user (and agent) to run the bundled scripts in the skill directory, create a Dida365 app, perform setup/login, and use the CLI for project/task operations. The scripts implement a local HTTP callback listener for OAuth and save an access token to ~/.config/ticktick-official/token.env. They also support reading a JSON file when using --item-json with a leading '@'. These behaviors are expected for an OAuth client, but they do mean the skill will read files the user explicitly points to and persist tokens to the user's home config directory.
Install Mechanism
No install spec (instruction-only) and no remote download. All code is bundled with the skill. Dependencies are declared inside script headers (httpx, typer, pydantic, rich) which is reasonable for a Python CLI interacting with HTTP. There are no suspicious external installers or obscure download URLs.
Credentials
Registry metadata lists no required env vars or primary credential, but the code and SKILL.md clearly use/mention environment variables and local config files: TICKTICK_CLIENT_ID, TICKTICK_CLIENT_SECRET, TICKTICK_REDIRECT_URI, TICKTICK_TOKEN, TICKTICK_BASE_URL, and the token/app env files under ~/.config/ticktick-official/. The skill will persist an access token to ~/.config/ticktick-official/token.env. The omission of these environment/config requirements from the registry metadata is an inconsistency (likely benign/oversight) but worth calling out because you should be aware the skill handles OAuth credentials and stores a token on disk.
Persistence & Privilege
The skill writes persistent files under the user's home config directory (~/.config/ticktick-official/), including the OAuth token and optional saved app credentials. always is false and the skill does not modify other skills or system-wide configs. Persistent storage of an access token is expected for an OAuth CLI, but users should know the token file exists and can be deleted if desired.
How to Use
  1. Make sure OpenClaw is installed (local or Docker)
  2. Run the install command in chat: /install ticktick-official-cli
  3. After installation, invoke the skill by name or use /ticktick-official-cli
  4. Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.1
- Removed redundant files: README.md and assets/ticktick-oauth-worker.js. - No changes to functionality; onboarding and usage remain the same. - Documentation and main workflow unaffected.
v1.0.0
Initial release of ticktick-official-cli: - Manage TickTick (Dida365) projects and tasks via official OAuth and Open API. - Direct, secure authentication with dida365.com (no third-party OAuth relay). - One-click setup and login flows with automatic token saving/refreshing. - Supports project/task create, query, update, complete, and delete operations. - Provides both automated onboarding and manual alternative authentication steps. - Always uses official domains; warnings included for potentially destructive actions.
Metadata
Slug ticktick-official-cli
Version 1.0.1
License
All-time Installs 0
Active Installs 0
Total Versions 2
Frequently Asked Questions

What is ticktick-official-cli?

使用官方 Dida365 OAuth 与 Open API 管理滴答清单(项目/任务查询、创建、更新、完成、删除)。当用户要求安全地直连 dida365.com(不经过第三方 OAuth 中转)时使用。 It is an AI Agent Skill for Claude Code / OpenClaw, with 531 downloads so far.

How do I install ticktick-official-cli?

Run "/install ticktick-official-cli" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is ticktick-official-cli free?

Yes, ticktick-official-cli is completely free (open-source). You can download, install and use it at no cost.

Which platforms does ticktick-official-cli support?

ticktick-official-cli is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created ticktick-official-cli?

It is built and maintained by whaaatsup (@superowenx); the current version is v1.0.1.

More Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191113 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 Comments