Back to skill
Skillv0.1.0
VirusTotal security
Dingtalk Todo · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
ReviewApr 30, 2026, 6:01 AM
- Hash
- 5071da474eff9fbe08dacd5bdb9cc17d2fe6a585f6c82729586f2689df19dee0
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: dingtalk-todo Version: 0.1.0 The skill manages DingTalk Todo tasks by storing sensitive API credentials (AppKey and AppSecret) in a local plaintext configuration file (~/.dingtalk-skills/config) and executing logic via temporary shell scripts in /tmp. While these behaviors are aligned with the stated purpose of interacting with DingTalk APIs (api.dingtalk.com and oapi.dingtalk.com), the use of shell execution, network access, and insecure credential storage are classified as risky capabilities and potential vulnerabilities under the review criteria. No evidence of intentional data exfiltration or malicious prompt injection was found in SKILL.md or references/api.md.
- External report
- View on VirusTotal