← 返回 Skills 市场

Ticktick

Name: Ticktick
Author: halr9000

作者 halr9000 · GitHub ↗ · v0.2.0 · MIT-0

cross-platform ⚠ suspicious

106

总下载

当前安装

版本数

在 OpenClaw 中安装

/install ticktick-enhanced

功能描述

Manage TickTick tasks and projects

安全使用建议

What to consider before installing: - Runtime requirement: The code and SKILL.md assume the 'bun' runtime (shebangs and 'bun run' commands). The registry lists no required binaries. If you don't have Bun, the skill will likely fail or require manual setup. Confirm whether you are comfortable installing Bun or adjusting the skill to use your environment. - Credentials & storage: You will need to provide a TickTick OAuth client_id and client_secret during initial setup. These are stored under ~/.clawdbot/credentials/ticktick-cli/config.json (file permissions are set to be restrictive). Ensure you trust the skill author before storing OAuth credentials locally. - Metadata mismatch: The embedded _meta.json ownerId differs from the registry Owner ID. This could be an innocuous packaging oversight, but it's worth verifying the publisher/source before granting access to your TickTick account. - Dependencies & install: The repository includes package.json and package-lock.json (many npm deps). There is no install spec, so you may need to manually install dependencies or ensure Bun supports running the TypeScript files as-is. Manual installation increases risk of mistakes — prefer a skill that documents required runtime and install steps. - Local OAuth server: The skill spins up a temporary localhost server to complete OAuth. This is normal for CLI OAuth flows, but be aware it listens on 127.0.0.1:8080 during auth and will open a browser. Ensure you only accept the OAuth redirect you initiated. - Review before running: If you are not comfortable with the small inconsistencies above, ask the publisher for clarification or request a version that declares 'bun' as a required binary and confirms the ownerId/source. If you proceed, inspect the files locally (especially scripts/auth.ts and where credentials are saved) and consider running inside a controlled environment (container) first.

功能分析

Type: OpenClaw Skill Name: ticktick-enhanced Version: 0.2.0 The skill bundle contains a critical shell injection vulnerability in `index.ts`, where user-provided arguments are concatenated into a command string and executed via `Bun.spawnSync` without sanitization. While the skill's logic for managing TickTick tasks via OAuth2 and the official API (`https://api.ticktick.com`) appears legitimate and well-structured, this implementation flaw allows for arbitrary command execution. The skill also handles sensitive credentials stored in `~/.clawdbot/credentials/ticktick-cli/`, which increases the impact of the execution vulnerability.

能力评估

ℹ Purpose & Capability

Functionality (OAuth flow, calling api.ticktick.com, listing/creating/updating tasks/projects) matches the declared purpose. However, the skill's runtime implicitly requires the 'bun' runtime (scripts use bun shebang and SKILL.md instructs 'bun run ...') but the registry metadata lists no required binaries — that's an inconsistency. Also the package/_meta ownerId in files differs from the registry ownerId, which is unusual and worth verifying with the publisher.

✓ Instruction Scope

SKILL.md and the code confine behavior to task/project management via the TickTick API. The instructions ask you to run an OAuth flow and the code only reads/writes config and credential files under the user's home directory (e.g., ~/.clawdbot/credentials/ticktick-cli and ~/.config/ticktick-skill) and contacts api.ticktick.com. There are no instructions to read unrelated system files or to send data to third-party endpoints beyond TickTick.

ℹ Install Mechanism

There is no install spec (instruction-only), which is low risk, but the skill ships many TypeScript files and a package.json/package-lock with dependencies. Without an install step, execution depends on the host having the appropriate runtime (Bun) and possibly those dependencies. That mismatch (no declared binary but code assuming 'bun') is a coherence issue: the skill may fail or require manual installation steps, and bundling many dependencies with no automated install increases friction and potential for user mistakes.

✓ Credentials

The skill requests no environment variables or external credentials via registry metadata; at runtime it requires an OAuth client_id and client_secret (saved locally) to access TickTick, which is appropriate for the stated purpose. It writes tokens and config under the user's home directory with file permissions set to restrict access (mode 0700 for dir, 0600 for file), which is proportional and expected.

✓ Persistence & Privilege

The skill does not request always:true and is user-invocable only. It stores its own credentials/config in user-local directories, creates a short-lived local HTTP server during OAuth (listening on localhost:8080) and does not modify other skills or global agent settings. These behaviors are typical for an OAuth-enabled CLI.

如何使用

确保已安装 OpenClaw（本地或 Docker 部署）
在对话框中输入安装命令：/install ticktick-enhanced
安装完成后，直接呼叫该 Skill 的名称或使用 /ticktick-enhanced 触发
根据 Skill 的参数说明提供必要输入，即可获得结构化输出

版本历史

v0.2.0

Phase 1+2 improvements: ID-mandatory operations, triage command, focus mode, config, rich output, docs. ADHD-friendly features.

元数据

Slug ticktick-enhanced

版本 0.2.0

许可证 MIT-0

累计安装 0

当前安装数 0

历史版本数 1

常见问题

Ticktick 是什么？

Manage TickTick tasks and projects. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件，目前累计下载 106 次。

如何安装 Ticktick？

在 OpenClaw 或 Claude Code 对话框中运行命令「/install ticktick-enhanced」即可一键安装，无需额外配置。

Ticktick 是免费的吗？

是的，Ticktick 完全免费，采用 MIT-0 许可证，可自由下载、安装和使用。

Ticktick 支持哪些平台？

Ticktick 跨平台运行，可在任意部署了 OpenClaw / Claude Code 的环境中使用（cross-platform）。

谁开发了 Ticktick？

由 halr9000（@halr9000）开发并维护，当前版本 v0.2.0。