Is ticktick safe?

OAuth client ID, client secret, access token, and refresh token are stored in plaintext JSON at ~/.clawdbot/credentials/ticktick-cli/config.json. While the skill attempts to set restrictive file permissions (chmod 600/700), the credentials remain readable by any process running as the same user, including other skills.

The skill uses the 'open' npm package to launch the user's default browser for OAuth authentication. While this is standard OAuth behavior, it represents a code execution surface — the open() function ultimately invokes a system command to launch a browser with a URL.

tt.sh is a bash convenience wrapper that changes directory and runs the TypeScript entry point via bun. It uses '$@' for argument passthrough which is safe but represents a shell execution entry point.

The skill exposes batch-abandon and individual abandon/complete/delete operations. If an AI agent is manipulated or makes incorrect inferences, it could inadvertently abandon or complete important user tasks. The batch-abandon endpoint can affect multiple tasks in a single API call.

The 'Agent Usage Tips' section provides mild operational guidance to AI agents (use --json flag, list projects first, use IDs over names). This is helpful advice, not injection, but it does influence agent behavior when the skill is loaded into context.

Access tokens are sent as Bearer tokens to api.ticktick.com on every API request. This is expected OAuth behavior but means tokens transit the network on each operation.

The filesystem monitoring shows reads of ~/.env and ~/.aws/credentials during the install phase, but these originate from the OpenClaw platform gateway process (evidenced by the jiti compilation and gateway lock file creation context), not from the skill code itself.