Dingtalk Ai Table
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If used incorrectly, the skill can alter or permanently delete DingTalk table data that the configured account can access.
The documented toolset includes irreversible deletion of an entire DingTalk AI table base. This is purpose-aligned for a CRUD table-management skill, but it is a high-impact action.
delete_base:删除整个 Base,高风险、不可逆。
Use explicit baseId/tableId/recordId values, review destructive operations carefully, and back up important tables before delete or bulk update actions.
Anyone who obtains this URL may be able to act with the DingTalk permissions associated with it.
The skill requires a DingTalk MCP Server URL that contains an access token. The artifact correctly warns that it is password-equivalent.
这个 URL 带访问令牌,等同密码,不要泄露。
Store the MCP URL securely, do not paste it into shared chats or logs, and rotate it if it may have been exposed.
Running the helper scripts will execute local commands that send selected records or field definitions to the configured DingTalk MCP server.
The included helper scripts execute the local mcporter CLI. This is central to the skill's purpose and uses argument lists rather than shell string execution.
result = subprocess.run(cmd, capture_output=True, text=True, timeout=120)
Review input files before importing, keep them inside OPENCLAW_WORKSPACE, and ensure mcporter is the expected trusted binary.
A compromised or unexpected mcporter installation could affect all DingTalk MCP calls made by the skill.
The skill relies on an external globally installed CLI. This is expected for this integration, but the artifact does not pin an exact mcporter package version.
npm install -g mcporter
Install mcporter from a trusted source, prefer the recommended version or newer, and verify the binary before use.
A stale or incorrect local cache marker could cause the skill to skip schema validation until the URL changes or the cache is cleared.
The schema gate stores a persistent local cache marker keyed by a hash of the MCP URL and skips repeated checks when the marker says the new schema was confirmed.
CACHE_FILE="$CACHE_DIR/schema-check-$URL_HASH.json"
Clear the workspace cache or rerun schema validation if DingTalk MCP behavior changes unexpectedly.