Is ticktick-api-skill safe?

https://clawhub.ai/byungkyu/ticktick-api-skill

72
CAUTION

This skill is a documentation-only TickTick API integration that contains no executable code, install scripts, or direct prompt injection attempts. However, it routes all API traffic through a third-party proxy (gateway.maton.ai) creating an opaque man-in-the-middle for all task data, and includes a cross-skill reference that could expand the attack surface. The primary risk is architectural: trusting Maton with full read/write access to TickTick data without user visibility into token scope or data handling.

Category Scores

Prompt Injection 68/100 · 30%
Data Exfiltration 62/100 · 25%
Code Execution 85/100 · 20%
Clone Behavior 85/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 55/100 · 5%

Findings (8)

MEDIUM All traffic routes through third-party proxy gateway -25

Every API call goes through gateway.maton.ai instead of directly to api.ticktick.com. The Maton gateway operator can intercept, log, modify, or exfiltrate all task data including titles, descriptions, due dates, and project structures. Users have no visibility into what Maton does with this data beyond their stated purpose.

MEDIUM API key grants broad access across Maton ecosystem -13

The MATON_API_KEY is sent to both gateway.maton.ai and ctrl.maton.ai on every request. This single key may grant access to other connected services in the Maton ecosystem, not just TickTick. The connection management API reveals all active OAuth connections.

MEDIUM Cross-skill installation directive -20

The skill description explicitly directs the agent to use another skill (api-gateway) for other third-party apps. This creates a chaining vector where installing one skill leads to installing additional skills from the same author, expanding the attack surface.

LOW Inline executable code examples normalize shell execution -12

The skill provides numerous python heredoc code blocks that agents will execute directly via shell. While each individual block is a legitimate API call, the pattern of providing ready-to-execute code normalizes the agent running arbitrary Python from skill documentation.

LOW Python heredoc execution pattern in documentation -15

The skill uses python heredoc blocks as the primary interaction pattern rather than curl or SDK calls. This means the agent must have Python available and will execute multi-line Python scripts, which is a broader execution surface than simple HTTP requests.

LOW Third-party proxy creates opaque trust dependency -45

The skill is architecturally dependent on Maton as an intermediary. Users trust TickTick with their task data, but this skill silently introduces Maton as an additional party with full read/write access to that data. The OAuth token management is entirely server-side, giving users no control over token scope.

INFO Sensitive file reads during install are from runtime, not skill -15

Filesystem monitoring shows reads of .env, .aws/credentials, .profile, and .bashrc during installation. Analysis confirms these are from the openclaw agent runtime initialization, not from the skill itself. The skill contains no install scripts or executable code.

INFO All honeypot files intact 0

No canary files were accessed or modified during skill installation or analysis. This confirms the skill does not attempt to read fake credentials or sensitive files during the clone/install phase.