Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Dingtalk Workspace
v1.0.1Interact with DingTalk enterprise workspace to search contacts, send messages, manage calendars, todos, approvals, attendance, reports, and AITable data via...
⭐ 0· 37·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill's stated purpose (DingTalk workspace operations) matches the included scripts and docs: they call a 'dws' CLI to manage contacts, chat, calendar, todo, approvals, attendance, reports and AITable. However the registry metadata at the top lists no required environment variables/credentials while the SKILL.md and clawhub.yml repeatedly state this needs OAuth credentials (DWS_CLIENT_ID / DWS_CLIENT_SECRET). That inconsistency (metadata says none required; docs and code require credentials) is noteworthy and unexplained.
Instruction Scope
SKILL.md repeatedly cautions to use --dry-run and least-privilege credentials, but several bundled scripts call the dws CLI programmatically with mutation flags that bypass prompts: import_records.py's run_dws appends '--yes', calendar_schedule_meeting.py's run_dws_action appends '--yes' unless --dry-run is explicitly set, and other scripts can create/update/delete records. That contradicts the 'always preview' guidance and grants the code the ability to perform destructive changes if invoked without care.
Install Mechanism
There is no formal install spec in the registry (instruction-only), which is lower-risk from an automatic-install perspective. The SKILL.md instructs users to download a prebuilt binary or run an installer script pulled from a GitHub repo (raw.githubusercontent.com curl|sh and PowerShell 'iex' links). Pulling and executing remote install scripts is common but higher-risk unless you verify the upstream repository; the URLs point to a third-party GitHub repo (DingTalk-Real-AI) rather than an official vendor site, so verify authenticity before running.
Credentials
Requesting DWS_CLIENT_ID and DWS_CLIENT_SECRET is appropriate for a DingTalk CLI integration and those env vars are documented in the skill's clawhub.yml and SKILL.md. The problem is the manifest/registry metadata in the header reported 'Required env vars: none' and 'Primary credential: none', which contradicts the internal documentation. This metadata mismatch could mislead users or automated install systems into not providing necessary credentials securely. No unrelated credentials are requested by the code.
Persistence & Privilege
The skill is not marked 'always:true' and uses normal autonomous invocation defaults. That is expected. However, because the skill can perform destructive operations (approvals, deletes, create with '--yes'), giving it autonomous invocation increases risk — the combination of autonomous execution and scripts that default to executing mutations (instead of always dry-running) is a practical security concern and should be managed (restrict autonomous use or require explicit confirmation).
What to consider before installing
What to check before installing/using this skill:
- Credentials: SKILL.md and clawhub.yml require OAuth credentials (DWS_CLIENT_ID and DWS_CLIENT_SECRET). The registry header incorrectly lists no required env vars — don't rely on that. Use scoped, least-privilege app credentials and prefer interactive/keychain login rather than env vars where possible.
- Verify the CLI: SKILL.md points to a third-party GitHub repo (https://github.com/DingTalk-Real-AI/dingtalk-workspace-cli). Manually review the repository and the installer script before running any curl | sh or PowerShell 'iex' commands. Prefer installing from a vetted release or building from source yourself.
- Scripts can mutate state: Several bundled scripts call dws with automatic '--yes' (e.g., import_records.py) or will perform mutations unless you pass explicit dry-run flags. If you intend to let the agent run this skill autonomously, restrict that permission or ensure operations are always run with --dry-run by default.
- Test in a sandbox: Follow the skill's own advice — test in a non-production/sandbox enterprise and use least-privilege app approvals first.
- Operational controls: Disable autonomous invocation for this skill unless you trust the agent; require explicit user confirmation for any mutation; audit activity and token usage; rotate credentials if you stop using the skill.
Given the metadata inconsistencies and scripts that can perform destructive actions without safe defaults, treat this skill as 'suspicious' until you confirm the repo authenticity and adjust operational safeguards.Like a lobster shell, security has layers — review code before you run it.
latestvk97094te53fp8d2mafhy0mfz8d841y9e
License
MIT-0
Free to use, modify, and redistribute. No attribution required.