Skillv0.1.1

ClawScan security

Dingtalk Message · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 12, 2026, 3:36 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's instructions and requirements are consistent with its stated purpose (sending DingTalk messages), but it persistently reads/writes a local config and creates/executes shell scripts — review how credentials are stored and executed before enabling.
Guidance: This skill appears to do what it says: send messages via DingTalk Webhook, enterprise robots, and work notifications. Before installing, consider: 1) Credentials: you will need to provide appKey/appSecret/agentId or webhook URL/secret; the skill will persist them in ~/.dingtalk-skills/config (and will write access tokens there). Ensure that file is created with restrictive permissions (chmod 600) and that you trust the agent runtime to manage secrets. 2) Script execution: the skill creates /tmp/*.sh scripts and runs them; review any generated scripts if your platform lets you inspect them before execution. 3) Least privilege: prefer webhook-only use (webhook URL) if you only need simple group notifications, since webhooks avoid giving appKey/appSecret. 4) Auditing: monitor ~/.dingtalk-skills/config and /tmp for unexpected changes and rotate credentials if needed. If you want higher assurance, request a variant that uses platform-managed secret storage (not a plaintext config file) or limits on script execution.

Review Dimensions

Purpose & Capability: okName/description (DingTalk message sending) match the instructions and API reference: the SKILL.md describes Webhook robots, enterprise app robots, work notifications, tokens, and the exact APIs used. Required secrets (appKey/appSecret/agentId/webhook/secret) are what DingTalk integrations legitimately need.
Instruction Scope: noteInstructions explicitly tell the agent to read and write a persistent config file (~/.dingtalk-skills/config), create bash scripts under /tmp and execute them, and call DingTalk endpoints via curl. Those actions are coherent with sending messages but constitute file I/O and command execution on the host — the agent will create and run scripts and persist credentials and tokens. The guidance to avoid inline heredocs and to cache tokens is implementation detail but broadens the agent's ability to modify files and execute commands.
Install Mechanism: okNo install specification or external downloads; this is instruction-only, so nothing is written to disk by an installer. Risk from install mechanism is minimal.
Credentials: noteThe skill does not declare required env vars but instructs the agent to collect and persist DingTalk credentials (DINGTALK_APP_KEY, DINGTALK_APP_SECRET, DINGTALK_AGENT_ID, DINGTALK_WEBHOOK_URL, DINGTALK_WEBHOOK_SECRET) and to store access tokens (DINGTALK_ACCESS_TOKEN) in the shared config file. Those credentials are proportionate to the stated purpose, but storing tokens/credentials on disk increases sensitivity and requires careful file-permission handling.
Persistence & Privilege: notealways is false (good). However, the skill explicitly instructs persistent storage in ~/.dingtalk-skills/config and caching tokens there for reuse across sessions/skills. It also directs creation/execution of /tmp/*.sh scripts. This persistence and ability to run shell scripts is expected for this kind of integration but increases the security impact if the agent or platform is compromised.