ticktick
Fail
Audited by Gen Agent Trust Hub on Feb 20, 2026
Risk Level: HIGHCOMMAND_EXECUTIONDATA_EXFILTRATIONREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION] (HIGH): The
resolve_projectfunction inscripts/tt.shis vulnerable to Python code injection. It interpolates the shell variable$inputdirectly into a Python string literal within apython3 -ccommand:name = '$input'.lower(). If the input contains a single quote, an attacker can break out of the string and execute arbitrary Python code. This affects several skill commands includingtasks,add,complete, andupdatewhenever a project name or ID is provided. - [DATA_EXFILTRATION] (HIGH): The command injection vulnerability can be leveraged to exfiltrate the
TICKTICK_TOKENor local system files by executing network commands likecurlfrom within the injected Python context. - [REMOTE_CODE_EXECUTION] (HIGH): The vulnerability allows for arbitrary code execution on the runner because user-controlled strings (project names, IDs) are insecurely handled during script execution.
- [PROMPT_INJECTION] (LOW): The skill is vulnerable to indirect prompt injection. Ingestion points: Data fetched from the TickTick API via
scripts/tt.sh(e.g., task titles and notes). Boundary markers: Absent; task data is displayed to the agent in a simple markdown list format. Capability inventory: Network access (curl), command execution (bash,python3), and access to secrets via environment variables. Sanitization: None; external data is not escaped or validated before being presented to the agent's context.
Recommendations
- AI detected serious security threats
Audit Metadata