钉钉闪记数据提取

Security checks across malware telemetry and agentic risk

Overview

This skill is mostly a DingTalk meeting-data helper, but it also asks agents to install remote code and documents write actions against meeting records without clear warnings or confirmation gates.

Install only if you trust the dws CLI source and understand that this may read sensitive DingTalk meeting transcripts and may modify meeting records if mutating commands are used. Prefer npm installation over remote shell pipelines, review installer scripts first, and require explicit confirmation before any update, replace, upload, or export action.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (10)

Description-Behavior Mismatch

Medium

Confidence: 94% confidence
Finding: The README for an extraction-focused skill documents mutation commands such as updating titles/summaries, replacing text, and generating derived artifacts. This creates a mismatch between the stated purpose and the operational guidance, which can mislead users or downstream agents into performing unintended write actions against user data.

Description-Behavior Mismatch

High

Confidence: 97% confidence
Finding: Although the skill is presented as a data extraction tool, it also documents write operations such as updating titles, updating summaries, replacing transcription text, generating artifacts, and uploading recordings. This expands the blast radius from read-only access to modification and creation of potentially sensitive enterprise records.

Context-Inappropriate Capability

High

Confidence: 98% confidence
Finding: The skill includes installation steps and remote script execution that are not necessary for the narrow, stated goal of extracting minutes data, especially when a package-manager-based installation path already exists. Fetching and piping remote scripts directly into a shell materially increases the risk of supply-chain compromise or unintended host modification.

Description-Behavior Mismatch

Medium

Confidence: 94% confidence
Finding: The skill claims to extract DingTalk minutes data, but the helper script also installs external software and initiates authentication. That expands the trust boundary from local data access to software installation and account access, which is a meaningful capability mismatch that can surprise users and increase attack surface.

Context-Inappropriate Capability

High

Confidence: 98% confidence
Finding: The script fetches a remote installer and pipes it directly into sh, enabling arbitrary code execution from network content at runtime. This is especially risky because it performs system-level installation for a data-extraction skill, making compromise of the remote source, transport chain, or repository immediately translate into code execution on the host.

Missing User Warnings

Medium

Confidence: 98% confidence
Finding: The README recommends installing software by piping a remotely fetched script directly into `sh`, which executes unreviewed code from the network immediately. If the source, transport, repository, or upstream account is compromised, users can suffer arbitrary code execution on their machine.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The README lists commands that change minute data without warning that they modify user content. In an agent skill context, undocumented side effects are especially risky because users may expect read-only extraction and an automated system may invoke these commands without adequate confirmation.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill recommends executing remote shell and PowerShell installers without any prominent safety warning about reviewing scripts, validating provenance, or the risks of arbitrary code execution. Users may treat these commands as routine and execute them blindly, exposing their systems to compromise if the upstream source is tampered with.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The commands access meeting recordings, transcripts, summaries, todos, and keywords, which are often highly sensitive business data, but the skill does not clearly warn about confidentiality, least-privilege use, or safe output handling. In an agent setting, this omission increases the chance that sensitive meeting content is fetched or exposed without adequate user awareness.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: Executing a remotely fetched shell script without clear warning or confirmation gives the script the ability to run arbitrary commands on the user's system. In the context of an agent skill, this is more dangerous because users may expect a bounded data operation, not network retrieval and shell execution of unreviewed code.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal