Dingtalk Ai Web Search
PassAudited by ClawScan on May 1, 2026.
Overview
This appears to be a purpose-aligned web-search skill, with the main things to notice being that it runs a local bash/curl helper, sends searches to a Dingtalk MCP endpoint, and saves that endpoint locally.
Before installing, verify that the MCP URL comes from the intended Dingtalk page, remember that it is saved locally in .mcp_url, and avoid sending secrets or private data as search queries.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may run the included shell script to check the search service before performing searches.
The skill asks the agent to run a local bash helper for connectivity checks. This is disclosed and tied to the search function, but users should be aware the skill uses local command execution.
每次新会话开始,先运行 `--ping` 检查... bash <CURRENT_SKILL_MD_PATH_DIR>/scripts/search.sh --ping
Install only if you are comfortable with the agent invoking this local script for Dingtalk MCP search; keep the script from untrusted modifications.
Anyone with access to the saved .mcp_url file may learn the MCP endpoint configured for this search skill.
The script stores the user-provided MCP URL persistently. That URL may function like access configuration for the Dingtalk MCP service, even though no explicit token or credential leakage is shown.
CONFIG_FILE="$(dirname "$SCRIPT_PATH")/.mcp_url" ... save_url() { ... printf '%s' "$url" > "$CONFIG_FILE"Use only the intended Dingtalk MCP URL, avoid sharing the saved .mcp_url file, and delete it if you no longer want the skill connected.
Your search terms are sent to the configured Dingtalk MCP endpoint and may be processed by that service.
Search requests are sent over HTTP to the configured MCP gateway. This is expected for a web-search skill, but it means search queries leave the local environment.
curl ... -H 'Accept: application/json, text/event-stream' ... --data-raw "$body" ... "$url"
Do not search for secrets, passwords, private documents, or sensitive business data unless you trust the configured MCP service and its data handling.