ClawHub

Dingtalk Contact

Security checks across malware telemetry and agentic risk

Overview

This DingTalk directory skill appears purpose-built rather than malicious, but it deserves review because it stores app credentials/tokens locally and enables broad employee-directory access through shell-based workflows.

Install only for an authorized DingTalk administrator or trusted operator who is allowed to query employee directory data. Use a least-privilege DingTalk app, restrict who can invoke the skill, protect or replace ~/.dingtalk-skills/config with secure secret storage, avoid bulk member queries unless approved, and rotate credentials if tokens or config files may have been exposed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (12)

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill directs the agent to use shell (`bash`, `curl`, temporary scripts) but does not declare that capability. Hidden execution capability reduces transparency and bypasses least-privilege review, making it easier for a supposedly simple directory lookup skill to run broader commands than users or platform policy expect.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
The manifest frames the skill as a contact lookup tool, but the instructions also include persistent credential/config management and token lifecycle operations. This expands the trust boundary from read-only directory queries into secret storage and auth handling, which materially increases risk and can expose or misuse DingTalk credentials across sessions.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The guidance instructs persistent writes of configuration and credentials across sessions, despite the skill presenting itself as a query-oriented directory tool. Cross-session secret retention without strong disclosure and boundaries increases the chance of credential leakage, misuse by later runs, and unexpected access persistence.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The skill authorizes writing arbitrary task-specific shell scripts to `/tmp` and executing them. For a contact-directory skill, this is excessive and dangerous because any future variable interpolation or user-derived content could become command injection, while temporary script execution broadens the attack surface far beyond simple API calls.

Description-Behavior Mismatch

Medium
Confidence
87% confidence
Finding
The helper exposes broad credential, token, and configuration management capabilities that exceed a contact-query skill’s stated purpose. In an agent setting, this expands the blast radius: a skill meant for directory lookup can also mint tokens, clear caches, inspect config, and persist secrets, which increases the chance of misuse or abuse.

Context-Inappropriate Capability

High
Confidence
96% confidence
Finding
The script allows arbitrary reads and writes of configuration keys via --get and --set, with no allowlist of permitted keys. Because the same config stores app secrets and access tokens, a caller with access to this helper can modify security-sensitive settings or persist attacker-controlled values, undermining trust in all downstream API calls.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The script offers token issuance, cache inspection, and cache clearing functions that are not necessary for ordinary contact lookup by end users. Exposing these operations to the skill increases opportunities for credential harvesting, unintended privilege use, and disruptive token invalidation workflows.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill tells the operator to persist DingTalk AppKey/AppSecret and related configuration across sessions without an explicit user-facing warning about sensitivity or retention. Storing long-lived credentials silently increases the risk of unauthorized reuse, lateral access by subsequent tasks, and accidental disclosure from local files or helper scripts.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
This documentation explicitly describes retrieval of detailed employee directory data including mobile numbers, job numbers, emails, department membership, roles, and union identifiers, but provides no privacy, authorization, or data-minimization guidance. In the context of an agent skill for contact lookup, this increases the risk of over-collection and disclosure of sensitive employee PII to users or downstream tools without a clear need-to-know boundary.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The file tells operators how to obtain and use both NEW_TOKEN and OLD_TOKEN but does not warn that these are sensitive credentials equivalent to API access. In practice, such omissions commonly lead to tokens being pasted into logs, chats, prompts, examples, or stored insecurely, enabling unauthorized access to the entire directory API surface.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
Configuration writes persist secrets and tokens in plaintext under ~/.dingtalk-skills/config, and the script does not set restrictive file permissions or warn operators at execution time. Any local user, backup system, or unrelated tooling with access to that file may recover long-lived credentials and cached tokens.

External Transmission

Medium
Category
Data Exfiltration
Content
echo "搜索结果: $SEARCH"

TARGET_UID=$(echo "$SEARCH" | grep -o '"list":\["[^"]*"' | grep -o '"[^"]*"$' | tr -d '"')
DETAIL=$(curl -s -X POST "https://oapi.dingtalk.com/topapi/v2/user/get?access_token=${OLD_TOKEN}" \
  -H 'Content-Type: application/json' \
  -d "{\"userid\":\"$TARGET_UID\",\"language\":\"zh_CN\"}")
echo "用户详情: $DETAIL"
Confidence
84% confidence
Finding
curl -s -X POST "https://oapi.dingtalk.com/topapi/v2/user/get?access_token=${OLD_TOKEN}" \ -H 'Content-Type: application/json' \ -d

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal