ClawHub

Dingtalk Message

Security checks across malware telemetry and agentic risk

Overview

This looks like a legitimate DingTalk messaging skill, but it can send workplace messages using saved credentials after very broad trigger phrases.

Install only if you want the agent to send DingTalk messages for you. Use a dedicated low-privilege DingTalk bot or app, require explicit DingTalk intent plus recipient/content confirmation before sends, and protect or remove ~/.dingtalk-skills/config when credentials should no longer be reused.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
91% confidence
Finding
The trigger list contains very broad, everyday phrases such as '发消息', '发通知', and 'send message', which can cause the skill to activate in situations where the user did not specifically intend to use DingTalk. Because this skill can send outbound messages and use stored credentials, over-broad invocation increases the chance of unintended external actions and message delivery.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill explicitly instructs persistent storage of credentials in a shared config file and execution of generated shell scripts, but does not require a user-facing warning or strong safeguards around secret handling and command execution. In context, this skill deals with API keys, webhook URLs, and tokens, so persisting them and manipulating them via shell increases the risk of credential leakage, unintended reuse across sessions, and unsafe command composition.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The documentation states that `sessionWebhook` can be used directly and requires no access token or signature, but it does not warn that this URL is effectively a bearer secret for a temporary reply channel. If exposed in logs, prompts, analytics, or chat history, another party could send unauthorized replies into the conversation until expiry.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal