DingTalk Push
PassAudited by ClawScan on May 1, 2026.
Overview
This skill does what it claims—send user-provided DingTalk bot messages—but users should remember it can post to a group chat and uses stored webhook credentials.
Before installing, confirm you trust the workflows that can invoke this skill, configure only an official HTTPS DingTalk webhook, protect the webhook and signing secret, and be cautious with @all or sensitive message content.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If invoked unintentionally or with the wrong message, the bot could post to a group chat or notify everyone.
The skill can send messages that mention specific people or everyone in a DingTalk group; this is purpose-aligned but can visibly notify many users.
支持 @指定人员和 @所有人
Use this skill only with trusted workflows and review messages carefully before using @all.
Anyone or any workflow with access to these credentials may be able to send messages through the DingTalk bot.
The code uses a DingTalk webhook URL and optional signing secret as credentials for posting to the user's configured group bot.
webhook: process.env.DINGTALK_WEBHOOK || '', secret: process.env.DINGTALK_SECRET || ''
Store the webhook and secret securely, limit access to the config file/environment, and rotate the bot secret if exposed.
Message content and mentioned phone numbers are sent to the configured endpoint; an HTTP or untrusted webhook could expose that data.
The skill sends the message body and mention data to the configured webhook endpoint, and the implementation permits either HTTPS or HTTP URLs.
const lib = isHttps ? https : http; ... req.write(postData);
Use only the official HTTPS DingTalk webhook URL and avoid sending secrets or sensitive personal data in notifications.