ClawHub

Dingtalk Workspace

Security checks across malware telemetry and agentic risk

Overview

This DingTalk skill is broadly legitimate, but it includes examples and scripts that can change live workplace data or expose employee information with weak safeguards.

Review before installing in a real workspace. Use a least-privileged DingTalk app, test in a sandbox tenant, require dry-run and human confirmation for approvals, messages, todos, calendar events, and AITable changes, and avoid exporting employee attendance or mobile numbers unless you have a clear authorized business need.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (6)

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The reference includes examples for retrieving team attendance, department shift schedules, and other users' attendance summaries without any warning about authorization scope, privacy sensitivity, or least-privilege use. In a skills/reference context, this can normalize broad access to employee attendance data and encourage downstream agents or users to query personal workforce data beyond their legitimate need.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
This reference documents commands that can send, recall, and modify live chat messages and group membership without any cautionary guidance, confirmation steps, or warning that these actions affect real users and production conversations. In an agent skill context, such omission increases the chance of accidental misuse, spam, unintended disclosure, or disruptive membership changes when an automated system follows the examples directly.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The documentation includes an explicit auto-approval workflow that loops over pending requests and approves them with `--yes`, bypassing interactive confirmation and showing no verification step, eligibility check, or warning about financial and governance consequences. In an approval-management context, this normalizes unsafe automation of business decisions and could lead users or agents to mass-approve unauthorized or fraudulent requests.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The approve, reject, and revoke examples demonstrate state-changing operations, including confirmation bypass with `--yes`, but provide no warning that these commands irreversibly alter approval state or may affect business, financial, or compliance workflows. In an OA/approval reference, that omission increases the chance of accidental misuse by operators or automation that copy-pastes examples directly into production.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The script enumerates department members and prints personal contact data, including mobile numbers, directly to stdout in multiple exportable formats. In an agent skill context, this increases the chance of bulk PII exposure, accidental disclosure in logs, terminal histories, downstream pipelines, or unauthorized use without user confirmation or access checks.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The script appends --yes for normal execution, causing immediate non-interactive creation of todos from whatever JSON file is provided. In an agent or automation context, this removes a confirmation barrier and can be abused to mass-create unwanted tasks, spam executors, or trigger operational actions without explicit review.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal