Dingtalk Todo

Security checks across malware telemetry and agentic risk

Overview

This DingTalk todo skill is mostly coherent, but it asks for persistent DingTalk credentials and can modify real business tasks while using broad triggers that could invoke it unexpectedly.

Review this skill before installing if the DingTalk account is used for business work. Use a least-privileged DingTalk app, protect ~/.dingtalk-skills/config because it may contain secrets and bearer tokens, and require explicit confirmation for create, update, complete, assign, or delete requests, especially when the request did not clearly say DingTalk.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Vague Triggers

Medium

Confidence: 88% confidence
Finding: The skill’s trigger list includes broad generic phrases such as “task management,” “todo task,” and common Chinese todo phrases that can match ordinary conversation, causing the agent to invoke this skill unexpectedly. Because the skill persists credentials and performs state-changing actions against a real DingTalk account, accidental invocation increases the chance of unintended external API calls and task creation/modification.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal