← 返回 Skills 市场
531
总下载
0
收藏
0
当前安装
2
版本数
在 OpenClaw 中安装
/install ticktick-official-cli
功能描述
使用官方 Dida365 OAuth 与 Open API 管理滴答清单(项目/任务查询、创建、更新、完成、删除)。当用户要求安全地直连 dida365.com(不经过第三方 OAuth 中转)时使用。
安全使用建议
This skill appears to be what it claims: a local CLI that uses Dida365's OAuth and Open API. Before installing or running it, consider: 1) the skill will prompt you to provide a Dida365 client_id and client_secret and may save them (app.env) and an access token (token.env) under ~/.config/ticktick-official/ — review or remove those files if you stop using the skill; 2) the registry metadata did not declare the env vars or token file locations even though the scripts use them — treat this as a documentation/metadata omission and confirm you supply credentials only to the official developer console (https://developer.dida365.com) and that the authorization URLs are dida365.com/api.dida365.com; 3) the skill launches a local HTTP listener to receive the OAuth callback (localhost/127.0.0.1) — ensure that port is acceptable and not blocked; 4) if you do not trust the source, inspect the bundled scripts yourself (they are included) before running. If you want higher assurance, verify the code signatures or obtain the tool from an official upstream repository.
功能分析
Type: OpenClaw Skill
Name: ticktick-official-cli
Version: 1.0.1
The skill is generally benign, providing legitimate integration with the Dida365 API. However, a significant prompt injection vulnerability exists in `scripts/ticktick_cli.py`. The `--item-json @path` option in `task create` and `task update` commands allows reading arbitrary local files (e.g., `@/etc/passwd`, `@~/.ssh/id_rsa`). A maliciously prompted AI agent could be instructed to read sensitive files and exfiltrate their content by including it in a task's checklist items, which are then sent to the Dida365 API. This constitutes a local file inclusion leading to data exfiltration via prompt injection.
能力评估
Purpose & Capability
Name/description claim: use official Dida365 OAuth and Open API to manage TickTick (Dida365) tasks — the included scripts implement an OAuth flow, token exchange, local callback listener, and an API client against api.dida365.com. There are no unexpected third-party services or unrelated credentials requested in the code. Network calls are limited to dida365.com / api.dida365.com, consistent with the stated purpose.
Instruction Scope
SKILL.md instructs the user (and agent) to run the bundled scripts in the skill directory, create a Dida365 app, perform setup/login, and use the CLI for project/task operations. The scripts implement a local HTTP callback listener for OAuth and save an access token to ~/.config/ticktick-official/token.env. They also support reading a JSON file when using --item-json with a leading '@'. These behaviors are expected for an OAuth client, but they do mean the skill will read files the user explicitly points to and persist tokens to the user's home config directory.
Install Mechanism
No install spec (instruction-only) and no remote download. All code is bundled with the skill. Dependencies are declared inside script headers (httpx, typer, pydantic, rich) which is reasonable for a Python CLI interacting with HTTP. There are no suspicious external installers or obscure download URLs.
Credentials
Registry metadata lists no required env vars or primary credential, but the code and SKILL.md clearly use/mention environment variables and local config files: TICKTICK_CLIENT_ID, TICKTICK_CLIENT_SECRET, TICKTICK_REDIRECT_URI, TICKTICK_TOKEN, TICKTICK_BASE_URL, and the token/app env files under ~/.config/ticktick-official/. The skill will persist an access token to ~/.config/ticktick-official/token.env. The omission of these environment/config requirements from the registry metadata is an inconsistency (likely benign/oversight) but worth calling out because you should be aware the skill handles OAuth credentials and stores a token on disk.
Persistence & Privilege
The skill writes persistent files under the user's home config directory (~/.config/ticktick-official/), including the OAuth token and optional saved app credentials. always is false and the skill does not modify other skills or system-wide configs. Persistent storage of an access token is expected for an OAuth CLI, but users should know the token file exists and can be deleted if desired.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install ticktick-official-cli - 安装完成后,直接呼叫该 Skill 的名称或使用
/ticktick-official-cli触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.1
- Removed redundant files: README.md and assets/ticktick-oauth-worker.js.
- No changes to functionality; onboarding and usage remain the same.
- Documentation and main workflow unaffected.
v1.0.0
Initial release of ticktick-official-cli:
- Manage TickTick (Dida365) projects and tasks via official OAuth and Open API.
- Direct, secure authentication with dida365.com (no third-party OAuth relay).
- One-click setup and login flows with automatic token saving/refreshing.
- Supports project/task create, query, update, complete, and delete operations.
- Provides both automated onboarding and manual alternative authentication steps.
- Always uses official domains; warnings included for potentially destructive actions.
元数据
常见问题
ticktick-official-cli 是什么?
使用官方 Dida365 OAuth 与 Open API 管理滴答清单(项目/任务查询、创建、更新、完成、删除)。当用户要求安全地直连 dida365.com(不经过第三方 OAuth 中转)时使用。 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 531 次。
如何安装 ticktick-official-cli?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install ticktick-official-cli」即可一键安装,无需额外配置。
ticktick-official-cli 是免费的吗?
是的,ticktick-official-cli 完全免费(开源免费),可自由下载、安装和使用。
ticktick-official-cli 支持哪些平台?
ticktick-official-cli 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 ticktick-official-cli?
由 whaaatsup(@superowenx)开发并维护,当前版本 v1.0.1。
推荐 Skills