Dingtalk Docs 0.3.1
Security checks across malware telemetry and agentic risk
Overview
This skill is a coherent DingTalk Docs integration, but users should notice that it uses a token-bearing DingTalk MCP URL and can read, create, and overwrite cloud documents when directed.
Install only if you want an agent to manage DingTalk cloud documents for the configured account. Protect the DingTalk MCP URL because it contains an access token, and carefully confirm the target document and overwrite-versus-append choice before any write operation.
VirusTotal
66/66 vendors flagged this skill as clean.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone using this skill with that configured URL lets the agent act on DingTalk documents available to that account.
The skill uses a DingTalk MCP URL that contains an access token, giving it the user's DingTalk Docs authority through the configured service.
"name": "DINGTALK_MCP_DOCS_URL", "description": "钉钉文档服务的 Streamable HTTP 地址(含访问令牌)"
Use only a trusted DingTalk MCP URL, protect it like a password, and revoke or rotate it if it is no longer needed.
A mistaken overwrite choice could replace existing document content.
The skill can write to cloud documents, including an overwrite mode that clears existing content, but it explicitly requires confirmation of the update mode.
"写入前必须确认 updateType" -- "0=覆盖(清空后写入),1=续写(追加到末尾)"
Before allowing a write, confirm the target document and whether the action should overwrite or append.
The behavior also depends on the installed mcporter binary and its configuration.
The package depends on an external globally installed CLI with a lower-bound version rather than an exact pinned version.
"peerDependencies": { "mcporter": ">=0.7.0" }, "requiresBinaries": [ "mcporter" ]Install mcporter from a trusted source and keep it updated; verify the configured DingTalk service before use.
Running the included helper scripts will invoke local commands and contact the configured DingTalk service.
The helper scripts execute the local mcporter CLI. This is central to the skill's purpose and uses argument lists rather than shell execution.
command = ['mcporter', 'call', tool, '--output', 'json'] ... subprocess.run(command, capture_output=True, text=True, timeout=timeout)
Run the scripts only when you intend to perform the described document operation, and avoid running them with elevated privileges.
Your document titles, IDs, and content may be exchanged with the configured DingTalk MCP service during reads and writes.
Document operations are routed through a configured DingTalk MCP endpoint, so document content and metadata can pass through that provider connection.
访问 [钉钉 MCP 广场](https://mcp.dingtalk.com) ... mcporter config add dingtalk-docs --url "<你的_URL>"
Use the official DingTalk MCP configuration source and avoid pasting the token-bearing URL into logs, chats, or shared files.