ClawHub

Use Dingding

Security checks across malware telemetry and agentic risk

Overview

This DingTalk automation skill is legitimate in purpose, but it gives agents broad enterprise authority and includes under-scoped examples for approvals and employee data access.

Install only if you trust the DingTalk app, the dws CLI source, and the OAuth scopes you grant. Use least-privilege credentials, avoid autonomous approval or messaging workflows, verify details before any --yes command, and avoid the curl|sh or irm|iex installer paths unless you independently inspect and verify the installer.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (9)

Intent-Code Divergence

High
Confidence
99% confidence
Finding
The dry-run/execute semantics are inverted between create_event and run_dws_action: create_event passes the user-facing 'execute' value into a parameter named 'dry_run', but run_dws_action interprets True as adding '--yes' and False as '--dry-run'. As written, the default non-execute path can perform a real calendar mutation, while '--execute' can trigger a dry-run, creating a dangerous safety-control bypass for booking actions.

Intent-Code Divergence

High
Confidence
98% confidence
Finding
The helper's API and docstring say execute=True performs mutation, but create_todo passes the caller's 'execute' value into the parameter named 'dry_run'. This inverts behavior: --execute results in --dry-run, while the default path can append --yes and perform real task creation, creating a dangerous mismatch between documented safety controls and actual mutation behavior.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The documentation explicitly demonstrates commands that retrieve attendance records, shift schedules, and summaries for arbitrary `--user-id` and `--dept-id` values without any accompanying authorization, least-privilege, or privacy guidance. In an attendance context, these queries expose sensitive employee behavioral and HR-related data, and normalizing such access patterns can lead users or downstream agents to enumerate coworkers' or teams' records beyond their legitimate scope.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
This reference documents commands that search for and retrieve user records by name, mobile number, email, department, and user ID, and the examples explicitly extract personal fields such as names, mobile numbers, departments, and identifiers. While this appears to be legitimate product documentation rather than overtly malicious content, it normalizes privacy-sensitive lookup operations without any warning about authorization, least-privilege use, logging, or handling of personal data, which can facilitate employee enumeration and misuse of directory data.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The documentation shows approval and rejection commands executed with `--yes`, which removes interactive confirmation for sensitive workflow actions. In an agent or copy-paste context, this increases the chance of accidental or automated irreversible approval decisions without adequate human review.

Missing User Warnings

High
Confidence
97% confidence
Finding
The auto-approve pattern demonstrates bulk approval logic based only on a title match (`contains("Expense")`) and then loops through results to approve them automatically. In a real environment, this can normalize unsafe automation of authorization decisions, enabling mass approval of fraudulent, misclassified, or attacker-crafted requests with minimal validation.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The script enumerates department members and prints their mobile numbers directly to stdout in table, CSV, and JSON formats without any access control check, masking, consent prompt, or warning about sensitive personal data exposure. In an agent skill context, this increases the risk of bulk collection, accidental logging, terminal capture, or downstream exfiltration of employee contact information.

External Script Fetching

Low
Category
Supply Chain
Content
```bash
# macOS / Linux - REVIEW SCRIPT BEFORE RUNNING
curl -fsSL https://raw.githubusercontent.com/DingTalk-Real-AI/dingtalk-workspace-cli/main/scripts/install.sh | sh

# Windows (PowerShell) - REVIEW SCRIPT BEFORE RUNNING
irm https://raw.githubusercontent.com/DingTalk-Real-AI/dingtalk-workspace-cli/main/scripts/install.ps1 | iex
Confidence
97% confidence
Finding
curl -fsSL https://raw.githubusercontent.com/DingTalk-Real-AI/dingtalk-workspace-cli/main/scripts/install.sh | sh

Chaining Abuse

High
Category
Tool Misuse
Content
```bash
# macOS / Linux - REVIEW SCRIPT BEFORE RUNNING
curl -fsSL https://raw.githubusercontent.com/DingTalk-Real-AI/dingtalk-workspace-cli/main/scripts/install.sh | sh

# Windows (PowerShell) - REVIEW SCRIPT BEFORE RUNNING
irm https://raw.githubusercontent.com/DingTalk-Real-AI/dingtalk-workspace-cli/main/scripts/install.ps1 | iex
Confidence
98% confidence
Finding
| sh

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal