Back to skill

Security audit

Dingtalk Calendar Only Curl

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed DingTalk calendar helper that stores DingTalk credentials locally and can change calendar data, so users should install it only for trusted calendar automation.

Install only if you want an agent to manage DingTalk calendar data. Use a least-privilege DingTalk app with only the required calendar scopes, protect ~/.dingtalk-skills/config with restrictive permissions, avoid sharing logs containing tokens or IDs, and confirm any create, update, delete, meeting-room, sign-in, or sign-out action before it runs.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (6)

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The helper script provides broad DingTalk platform token, config, and identity-management capabilities that exceed a calendar-only skill’s stated purpose. In this context, scope expansion matters because it gives the skill reusable primitives for accessing unrelated APIs and identities, increasing the attack surface and enabling privilege misuse if the skill or surrounding agent is compromised.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
Supporting userId/unionId conversion is not required for basic calendar CRUD and exposes identity-resolution functionality that can be used to enumerate or correlate employee identities. In an agent skill, this broadens access from calendaring into directory/identity operations, which is more dangerous because it can facilitate lateral data access or targeting of other users.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The script explicitly supports obtaining old-style tokens for non-calendar APIs such as group messaging, work notifications, and interactive cards, which is outside the declared calendar skill scope. That makes the skill materially more dangerous because a compromised or misused agent could pivot from scheduling into broader organizational messaging or notification abuse using the same stored credentials.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The trigger description contains broad everyday terms such as '日历' and 'calendar', making accidental invocation more likely. In a skill that can create, modify, delete schedules and interact with meeting rooms and sign-in links, unintended activation can lead to unauthorized actions or unnecessary collection/use of sensitive enterprise context. Broad routing increases operational risk even if the underlying API usage is legitimate.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The documentation tells the agent to write provided configuration, including AppKey and AppSecret, into a local file under ~/.dingtalk-skills/config, but does not clearly warn that sensitive credentials will be persistently stored. Persistent secret storage without explicit notice, secure storage guidance, or file-permission requirements increases the chance of credential leakage from the local environment. This is especially risky because the same skill also retrieves and caches tokens derived from those secrets.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The document exposes multiple state-changing operations such as creating, updating, deleting calendar events, binding meeting rooms, and sign-in/sign-out actions, but does not instruct the agent to obtain explicit user confirmation before executing destructive or user-visible changes. In an agent setting, this increases the risk of unintended modifications to calendars, meetings, attendance state, or room reservations due to misunderstanding, prompt injection, or ambiguous user input.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.