ClawHub

Dingtalk Document

Security checks across malware telemetry and agentic risk

Overview

This DingTalk document skill does what it claims, but it should be reviewed because it can change or delete business documents and stores DingTalk credentials/tokens locally without strong safeguards.

Install only if you intend to let the agent operate on DingTalk documents with read, write, delete, and member-management authority. Use a least-privilege DingTalk app, restrict who can read ~/.dingtalk-skills/config, rotate credentials if that file is exposed, and require manual confirmation before overwriting, deleting, or changing document permissions.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (7)

Lp3

Medium
Category
MCP Least Privilege
Confidence
86% confidence
Finding
The skill explicitly instructs the agent to execute shell commands (`bash`, `curl`, temporary scripts) but does not declare shell permissions. This creates a trust and review gap: the runtime can perform code execution and local file manipulation beyond what a user or platform policy may expect.

Tp4

High
Category
MCP Tool Poisoning
Confidence
94% confidence
Finding
The skill is presented as a document-management skill, but its instructions also include credential storage, token caching, local configuration read/write, and identity conversion operations. This broader behavior increases the attack surface and can expose or modify sensitive credentials and identity mappings in ways not disclosed by the stated purpose.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The helper exposes generic platform token management, config mutation, and identity-conversion features that go beyond the declared document/knowledge-base scope. In an agent skill, this unnecessary expansion of capability increases the attack surface and enables access to broader DingTalk APIs and identities than users would reasonably expect from a document-management tool.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The userId↔unionId conversion capability is unrelated to basic document management and allows cross-identifier resolution of personnel identities. That can facilitate enumeration, correlation of users across contexts, and use of broader organization APIs, making the skill more privacy-sensitive and more dangerous than its stated purpose suggests.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The script persistently writes secrets and tokens to a config file and updates it with unsanitized values using shell text substitution. This creates both a secret-at-rest risk and a file-integrity risk: crafted values containing newlines or sed metacharacters can corrupt the config or inject additional keys, potentially altering behavior or exposing credentials to other local users/processes.

External Transmission

Medium
Category
Data Exfiltration
Content
old_token=$(cmd_old_token)

  resp=$(curl -s -X POST \
    "https://oapi.dingtalk.com/topapi/v2/user/get?access_token=${old_token}" \
    -H "Content-Type: application/json" \
    -d "{\"userid\":\"${user_id}\"}")
Confidence
89% confidence
Finding
curl -s -X POST \ "https://oapi.dingtalk.com/topapi/v2/user/get?access_token=${old_token}" \ -H "Content-Type: application/json" \ -d

External Transmission

Medium
Category
Data Exfiltration
Content
old_token=$(cmd_old_token)

  resp=$(curl -s -X POST \
    "https://oapi.dingtalk.com/topapi/user/getbyunionid?access_token=${old_token}" \
    -H "Content-Type: application/json" \
    -d "{\"unionid\":\"${union_id}\"}")
Confidence
89% confidence
Finding
curl -s -X POST \ "https://oapi.dingtalk.com/topapi/user/getbyunionid?access_token=${old_token}" \ -H "Content-Type: application/json" \ -d

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal