Dingtalk CLI SKILL

Security checks across malware telemetry and agentic risk

Overview

This skill is a legitimate DingTalk automation package, but it gives an agent broad authority over business data, messages, calendars, attendance, and credentials with some under-scoped routing and confirmation guidance.

Install only if you want an agent to operate your DingTalk workspace. Review who can invoke it, protect DWS_CLIENT_SECRET and webhook tokens, avoid sharing logs that contain tokens or employee data, and require explicit confirmation before delete, message-send, attendance, calendar, or bulk table operations.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Behavioral ASTexec() Call, eval() Call, Dynamic Import
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (69)

subprocess module call

Medium

Category: Dangerous Code Execution
Content: print(f"[dry-run] {' '.join(cmd)}") return None try: result = subprocess.run( cmd, capture_output=True, text=True, timeout=60 ) if result.returncode != 0:
Confidence: 70% confidence
Finding: result = subprocess.run( cmd, capture_output=True, text=True, timeout=60 )

subprocess module call

Medium

Category: Dangerous Code Execution
Content: print(f"[dry-run] {' '.join(cmd)}") return None try: result = subprocess.run( cmd, capture_output=True, text=True, timeout=60 ) if result.returncode != 0:
Confidence: 70% confidence
Finding: result = subprocess.run( cmd, capture_output=True, text=True, timeout=60 )

subprocess module call

Medium

Category: Dangerous Code Execution
Content: cmd = ['dws'] + args try: result = subprocess.run( cmd, capture_output=True, text=True, timeout=60 ) if result.returncode != 0:
Confidence: 70% confidence
Finding: result = subprocess.run( cmd, capture_output=True, text=True, timeout=60 )

subprocess module call

Medium

Category: Dangerous Code Execution
Content: print(f"[dry-run] {' '.join(cmd)}") return None try: result = subprocess.run( cmd, capture_output=True, text=True, timeout=60 ) if result.returncode != 0:
Confidence: 70% confidence
Finding: result = subprocess.run( cmd, capture_output=True, text=True, timeout=60 )

subprocess module call

Medium

Category: Dangerous Code Execution
Content: print(f"[dry-run] {' '.join(cmd)}") return {'dry_run': True} try: result = subprocess.run( cmd, capture_output=True, text=True, timeout=60 ) if result.returncode != 0:
Confidence: 70% confidence
Finding: result = subprocess.run( cmd, capture_output=True, text=True, timeout=60 )

subprocess module call

Medium

Category: Dangerous Code Execution
Content: print(f"[dry-run] {' '.join(cmd)}") return None try: result = subprocess.run( cmd, capture_output=True, text=True, timeout=60 ) if result.returncode != 0:
Confidence: 70% confidence
Finding: result = subprocess.run( cmd, capture_output=True, text=True, timeout=60 )

subprocess module call

Medium

Category: Dangerous Code Execution
Content: print(f"[dry-run] {' '.join(cmd)}") return None try: result = subprocess.run( cmd, capture_output=True, text=True, timeout=60 ) if result.returncode != 0:
Confidence: 70% confidence
Finding: result = subprocess.run( cmd, capture_output=True, text=True, timeout=60 )

subprocess module call

Medium

Category: Dangerous Code Execution
Content: return None cmd = ['dws'] + args try: result = subprocess.run( cmd, capture_output=True, text=True, timeout=120 ) if result.returncode != 0:
Confidence: 70% confidence
Finding: result = subprocess.run( cmd, capture_output=True, text=True, timeout=120 )

subprocess module call

Medium

Category: Dangerous Code Execution
Content: print(f"[dry-run] {' '.join(cmd)}") return None try: result = subprocess.run( cmd, capture_output=True, text=True, timeout=60 ) if result.returncode != 0:
Confidence: 70% confidence
Finding: result = subprocess.run( cmd, capture_output=True, text=True, timeout=60 )

subprocess module call

Medium

Category: Dangerous Code Execution
Content: print(f"[dry-run] {' '.join(cmd)}") return {'dry_run': True} try: result = subprocess.run( cmd, capture_output=True, text=True, timeout=60 ) if result.returncode != 0:
Confidence: 70% confidence
Finding: result = subprocess.run( cmd, capture_output=True, text=True, timeout=60 )

subprocess module call

Medium

Category: Dangerous Code Execution
Content: print(f"[dry-run] {' '.join(cmd)}") return None try: result = subprocess.run( cmd, capture_output=True, text=True, timeout=60 ) if result.returncode != 0:
Confidence: 70% confidence
Finding: result = subprocess.run( cmd, capture_output=True, text=True, timeout=60 )

subprocess module call

Medium

Category: Dangerous Code Execution
Content: print(f"[dry-run] {' '.join(cmd)}") return None try: result = subprocess.run( cmd, capture_output=True, text=True, timeout=60 ) if result.returncode != 0:
Confidence: 70% confidence
Finding: result = subprocess.run( cmd, capture_output=True, text=True, timeout=60 )

subprocess module call

Medium

Category: Dangerous Code Execution
Content: """调用 dws 命令并返回解析后的 JSON 结果。""" cmd = ['dws'] + args try: result = subprocess.run(cmd, capture_output=True, text=True, timeout=60) if result.returncode != 0: print(f"错误：dws 命令失败: {result.stderr.strip()}", file=sys.stderr) return None
Confidence: 70% confidence
Finding: result = subprocess.run(cmd, capture_output=True, text=True, timeout=60)

Natural-Language Policy Violations

Low

Confidence: 86% confidence
Finding: The skill presents its title, description, and operational guidance in a fixed English/Chinese bilingual format, centered on Chinese-language usage, without stating that users may choose another language or locale. Under the policy, forcing a specific language or locale without user opt-in is a natural-language policy concern.

Natural-Language Policy Violations

Medium

Confidence: 95% confidence
Finding: The file title and operating guidance are written entirely in Chinese, and L2 instructs agents to consult this document when errors occur. This creates a language/locale constraint for agent operation without any user opt-in, alternative language option, or documented region-specific justification.

Natural-Language Policy Violations

Medium

Confidence: 90% confidence
Finding: This markdown file contains user-facing instructions exclusively in Chinese, including headings, operational guidance, and warnings. Under the natural-language policy rules, forcing a specific language without user opt-in or an explicit documented justification is a policy concern.

Natural-Language Policy Violations

Medium

Confidence: 94% confidence
Finding: The document title and all routing guidance are presented only in Chinese, which imposes a specific language on users or operators without offering an alternative or documenting an explicit locale constraint. This matches the language/locale policy violation category because no opt-in or justified region-specific limitation is stated in the file.

Vague Triggers

Medium

Confidence: 93% confidence
Finding: 该文档在“意图判断”中将“表格”“数据”“查看”“搜索”“修改”等常见自然语言词直接映射到命令。这些词在日常办公对话中非常常见，且未给出明确的上下文约束或反例，容易让代理在用户只是泛泛提到表格或数据时误触发本技能。

Natural-Language Policy Violations

Low

Confidence: 85% confidence
Finding: 整个技能参考与示例均以中文固定呈现，且“意图判断”部分仅覆盖中文触发表述，没有说明是否支持其他语言或由用户选择输出语言。若组织要求语言/区域中立或遵循用户语言偏好，这种默认强制中文的说明方式可能构成自然语言策略违规。

Vague Triggers

Medium

Confidence: 95% confidence
Finding: The intent mapping activates on short, generic phrases like "出勤", "排班", "班次", and "统计" without narrowing context or providing exclusion examples. In a markdown skill description, these broad triggers can overlap with ordinary conversation and make it unclear when the attendance commands should or should not be invoked.

Missing User Warnings

Medium

Confidence: 86% confidence
Finding: This markdown file documents commands for querying individual attendance records, summaries, shifts, and rules using user IDs, including batch queries for multiple employees. It does not include any warning about handling personal employee data, verifying authorization, or limiting use to approved HR/manager scenarios, which is a missing disclosure for privacy-impacting behavior in markdown documentation.

Vague Triggers

Medium

Confidence: 94% confidence
Finding: 该 markdown 文件包含“意图判断”规则，使用了“日程/会议/约会/日历”“有空吗/忙不忙/闲忙”等非常宽泛的自然语言触发词。这些词在日常对话中高度常见，且文档未提供明确的上下文约束、排除条件或负例，容易导致技能在非命令性场景下被错误匹配。

Missing User Warnings

Medium

Confidence: 86% confidence
Finding: 该 markdown 文件说明了 `event delete`、`participant delete` 和 `room delete` 等会修改或删除日程相关数据的操作，并在示例中展示了 `--yes` 跳过确认的用法。但文档没有显式提醒这些操作会取消日程、移除参会人或释放会议室资源，也没有提示用户在执行前确认目标对象，属于对可能影响用户数据和协作安排的行为缺少警示。

Natural-Language Policy Violations

Low

Confidence: 75% confidence
Finding: 全文标题、命令说明和意图判断均以中文固定表述，且未说明该技能是否仅面向中文用户，或是否支持其他语言/locale 选择。根据规则，若技能强制特定语言而无用户选择或明确的合理区域性说明，可视为自然语言策略问题。

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: This markdown file documents `message send-by-webhook` with a required `--token` parameter and shows workflow examples using the token directly, but it does not warn users that the token is a sensitive credential that should be protected and not exposed in logs or shared outputs. For markdown files, credential-affecting behavior should include a user warning when it could affect privacy or system integrity.

VirusTotal

43/43 vendors flagged this skill as clean.

View on VirusTotal