Skillv0.1.0

ClawScan security

Dingtalk Todo · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

ReviewMar 12, 2026, 3:33 PM

Verdict: Review
Confidence: medium
Model: gpt-5-mini
Summary: The skill's behavior mostly matches a DingTalk Todo integrator, but it collects and persists sensitive credentials to a local config file (not declared in metadata) and executes generated shell scripts — these inconsistencies and persistence choices warrant caution.
Guidance: This skill legitimately needs DingTalk app credentials and a user ID to call the Todo APIs, but the SKILL.md instructs the agent to: 1) ask you for the AppKey/AppSecret and userId, 2) store them plaintext in ~/.dingtalk-skills/config (including cached tokens), and 3) build and run temporary shell scripts in /tmp. Before installing, consider: - Only provide these credentials if you trust the skill and the publisher; treat AppSecret like a password. - Be aware the skill will persist secrets to your home directory (check and restrict file permissions, e.g., chmod 600). - If you stop using the skill, delete ~/.dingtalk-skills/config and revoke the AppSecret/token in DingTalk. - Review or sandbox the agent first (run in a throwaway account or VM) to observe what gets written/executed. - Prefer an implementation that uses secure secret storage or declares required env vars in metadata; the mismatch between metadata and runtime credential use is an incoherence to be aware of.

Review Dimensions

Purpose & Capability: okName and description match the instructions: the SKILL.md documents how to call DingTalk Todo APIs (create/list/update/delete). The credentials and user-id conversions described are appropriate and necessary for the stated purpose.
Instruction Scope: noteRuntime instructions direct the agent to read/write a configuration file at ~/.dingtalk-skills/config, fetch and cache access tokens, convert userId→unionId via DingTalk endpoints, and create/execute temporary shell scripts (/tmp/<task>.sh) for multi-line commands. These actions are within scope for a CLI-based API integrator but grant file I/O and shell-execution abilities; executing dynamically created scripts increases risk if inputs are not validated.
Install Mechanism: okInstruction-only skill with no install spec and no external downloads. Lowest install risk — nothing is written by an installer beyond what the runtime instructions ask the agent to do.
Credentials: concernThe SKILL.md expects collection of sensitive values (DINGTALK_APP_KEY, DINGTALK_APP_SECRET, DINGTALK_USER_ID and derived DINGTALK_OPERATOR_ID) and persists them to ~/.dingtalk-skills/config in plaintext. However the registry metadata declares no required credentials/env vars. This mismatch (credentials used but not declared) and the plaintext persistence of secrets to a file in the user's home are the primary concerns.
Persistence & Privilege: notealways:false (good). The skill persists credentials and cached tokens to ~/.dingtalk-skills/config and executes scripts from /tmp; it does not request elevated platform privileges but it does create persistent sensitive files and executes shell scripts — the user should consider file permissions and removal on uninstall.