ClawHub

dingtalk-docs

Security checks across malware telemetry and agentic risk

Overview

The skill mostly does what it says, but its document-writing authority is paired with inconsistent scope around non-document and multidimensional-table creation.

Install only if you want an agent to use your DingTalk document credential to search, create, read, and write cloud documents. Pay special attention to requests involving tables or multidimensional tables, because the skill’s scope is inconsistent there; confirm the exact target type and review overwrite/import actions before allowing them.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (7)

Description-Behavior Mismatch

Medium
Confidence
79% confidence
Finding
The changelog explicitly states the skill includes scripts to import documents from local files and export documents to local storage, while the manifest frames the skill as managing DingTalk cloud documents. That mismatch can hide local filesystem access from users and policy engines, increasing the risk of unintended data exfiltration from the workspace or writing sensitive cloud data to disk.

Context-Inappropriate Capability

Medium
Confidence
83% confidence
Finding
Local filesystem import/export is broader than the stated purpose of cloud-document management and creates an additional trust boundary crossing between local disk and remote documents. In this skill context, that makes the capability more dangerous because users invoking a cloud-docs skill may not expect it to read workspace files or persist remote content locally.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The documented `create_dentry_under_node` capability materially exceeds the skill's declared scope by enabling creation of many object types beyond documents and folders. Scope drift is dangerous because an orchestrator or user may invoke this skill in situations where richer content creation is not expected, causing unauthorized or unintended actions in adjacent product areas.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The reference explicitly supports `accessType` `"7"` for 多维表 creation even though the skill metadata says the skill must not trigger for 多维表 operations. This contradiction can cause the agent to perform actions in a forbidden domain, bypassing user-expectation and routing boundaries and potentially creating or modifying resources with the wrong tool.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The manifest description and keyword set are broad enough to trigger on generic references to online documents, cloud docs, or related terms without strong constraints on user intent. This can cause overbroad activation and unintended use of document-reading or document-modifying capabilities in contexts where the user did not clearly request this skill, increasing the risk of accidental data access or modification.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The manifest explicitly supports creating documents, folders, and writing document content, but it does not state any confirmation, warning, or consent requirement before modifying user data. In a document-management skill, write capabilities are inherently sensitive, so the absence of explicit safeguards makes accidental or misunderstood destructive changes more likely.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The script reads a local file and uploads its contents to DingTalk, but it does not provide any explicit confirmation, sensitivity warning, or transmission notice before sending potentially confidential local data to an external service. In a document-management skill this behavior is expected, but the lack of a clear warning increases the risk of accidental exfiltration of sensitive files when users invoke the import operation with the wrong path or without understanding where the data is going.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal