ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Dingtalk CLI SKILL

v1.0.12

钉钉 CLI 技能 / 钉钉 dingding / 钉钉 dws skill / 管理钉钉全部产品:AI表格、日历、通讯录、群聊机器人、待办、审批、考勤、日报周报、DING消息、工作台。Manage DingTalk products (AI forms, calendar, contacts, bots, to...

0· 102·0 current·0 all-time
by花渡@cizixiu

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for cizixiu/dingtalk-dws.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Dingtalk CLI SKILL" (cizixiu/dingtalk-dws) from ClawHub.
Skill page: https://clawhub.ai/cizixiu/dingtalk-dws
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Required env vars: DWS_CLIENT_ID, DWS_CLIENT_SECRET, DWS_CONFIG_DIR, DWS_SERVERS_URL
Required binaries: dws
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install dingtalk-dws

ClawHub CLI

Package manager switcher

npx clawhub@latest install dingtalk-dws
Security Scan
Capability signals
Requires OAuth token
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill is clearly a wrapper/documentation + helper scripts for the DingTalk 'dws' CLI and requests the expected CLI binary and OAuth client id/secret. However the registry summary says 'no install spec' while SKILL.md contains an install URL; the declared required binary is 'dws' but the install artifact is a Windows dws.exe. These mismatches (install presence and platform targeting) are inconsistent with a clean listing.
Instruction Scope
SKILL.md instructs the agent (and user) to run the dws CLI and to authenticate using dws auth login (opens browser QR login). The runtime instructions reference only dws commands, local skill files, and a local CLI path. They do not instruct reading unrelated system files or exfiltrating data. The scripts directory (Python scripts) is intended for attachment upload and automation — you should inspect those scripts before running.
Install Mechanism
The SKILL.md includes an install entry that downloads a dws-windows-amd64.zip from a GitHub releases URL with a provided SHA256 — this is an expected but higher-risk install mechanism than an instruction-only skill. The URL is a GitHub release (well-known host) and a checksum is provided, which reduces risk. Concerns: the install entry is Windows-specific (dws.exe) while the manifest/requirements don't clearly state platform restrictions; registry metadata claimed 'no install spec' which is inconsistent.
Credentials
Required env vars (DWS_CLIENT_ID, DWS_CLIENT_SECRET, DWS_CONFIG_DIR, DWS_SERVERS_URL) align with a CLI that needs OAuth credentials and configuration. Note: DWS_SERVERS_URL lets the CLI be pointed to a custom server endpoint — legitimate for self-hosting/testing but it can be abused if set to an untrusted endpoint.
Persistence & Privilege
The skill does not request always:true or other elevated listing-level privileges. It expects the CLI to persist tokens locally (30 days) in the config directory (DWS_CONFIG_DIR) — expected behavior for a CLI-based OAuth flow. The skill does not declare writing other skills' config or global agent config.
What to consider before installing
This skill appears to be a legitimate dws CLI wrapper, but there are inconsistencies and a few moderate risks to check before installing: - Metadata inconsistency: the registry claims 'no install spec' while SKILL.md includes a download/install section. Confirm which is authoritative. - Platform mismatch: the provided install artifact is a Windows dws.exe; if you run on Linux/macOS ensure there is an appropriate release. The skill's files and docs mix Windows PowerShell and POSIX-like paths — verify target OS. - Verify the binary: the install URL points to a GitHub release and includes a SHA256 — download the zip yourself, verify the checksum, and inspect the binary/source release on the referenced GitHub repo before executing. - Inspect scripts: the package includes multiple Python automation scripts (including attachment upload). Review these scripts for endpoints and behavior (they perform prepare + PUT flows and will interact with remote storage). Do not run scripts you can't audit. - Protect secrets and endpoints: DWS_CLIENT_SECRET is required — only set it in a secure environment. Be cautious with DWS_SERVERS_URL: do not point it to unknown or untrusted servers (that could redirect the CLI to exfiltrate data). - Least privilege practice: consider running first in an isolated/test account or sandbox, and set DWS_CONFIG_DIR to a dedicated directory you control so tokens remain segregated. If you want, I can: (1) list the exact differences between registry metadata and SKILL.md/install, (2) fetch and show the scripts' content highlights (if allowed), or (3) produce concrete steps to safely install and verify the binary and scripts.

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

Binsdws
EnvDWS_CLIENT_ID, DWS_CLIENT_SECRET, DWS_CONFIG_DIR, DWS_SERVERS_URL
Primary envDWS_CLIENT_ID
calendarvk973y6ff69m9ssc5evjtz5k06n84k79vcizixiuvk973y6ff69m9ssc5evjtz5k06n84k79vclivk973y6ff69m9ssc5evjtz5k06n84k79vdingdingvk973y6ff69m9ssc5evjtz5k06n84k79vdingtalkvk973y6ff69m9ssc5evjtz5k06n84k79vdingtalk-dwsvk973y6ff69m9ssc5evjtz5k06n84k79vdwsvk973y6ff69m9ssc5evjtz5k06n84k79vlatestvk973y6ff69m9ssc5evjtz5k06n84k79vofficialvk973y6ff69m9ssc5evjtz5k06n84k79vtodovk973y6ff69m9ssc5evjtz5k06n84k79v
102downloads
0stars
13versions
Updated 2w ago
v1.0.12
MIT-0
花渡@cizixiu
calendarcizixiuclidingdingdingtalkdingtalk-dwsdwslatestofficialtodo
Download

DingTalk dws Skill (WorkBuddy Version)

钉钉 dws 技能(WorkBuddy 版)

Use dws CLI to manage all DingTalk product capabilities. 使用 dws CLI 管理钉钉全部产品功能。

dws CLI Path / dws CLI 路径

dws is installed at $HOME\.local\bin\dws.exe. Always use the full path or ensure $HOME\.local\bin is in your PATH. dws 安装在 $HOME\.local\bin\dws.exe。调用时使用完整路径,或确保 $HOME\.local\bin 已加入 PATH 环境变量。

Authentication / 认证

First-time users must authenticate: / 首次使用需认证:

& "$HOME\.local\bin\dws.exe" auth login

This opens a browser for QR code login. Credentials persist for 30 days. 此命令会打开浏览器,引导扫码登录钉钉。凭证有效期 30 天。

Re-authenticate when expired: / 凭证过期后重新认证:

& "$HOME\.local\bin\dws.exe" auth login

Common Commands / 常用命令

| Scenario 场景 | Command 命令 | :|----------|---------| | List todos / 查看待办 | dws todo task list | | Create todo / 创建待办 | dws todo task create --title "Report" --deadline 2026-04-15 | | List calendar / 查看日历 | dws calendar event list | | Send group message / 发群消息 | dws chat bot send-by-group --group-id <ID> --content "Message" | | List reports / 查看日报周报 | dws report inbox list | | Search contact / 搜索联系人 | dws contact user search --keyword "Name" | | List AI tables / 查看 AI 表格 | dws aitable base list |

See the references/ directory for full documentation on all 12 DingTalk products. 查看 references/ 目录获取全部 12 个钉钉产品的详细文档。

Comments

Loading comments...