Back to skill

Security audit

Dingtalk CLI SKILL

Security checks across malware telemetry and agentic risk

Overview

This DingTalk skill is not clearly malicious, but it needs Review because it can read and change sensitive workplace data with broad routing and inconsistent confirmation guidance.

Install only if you trust the external dws CLI and intend to let an agent operate DingTalk. Use least-privileged DingTalk credentials, protect DWS_CLIENT_SECRET, webhook tokens, and DWS_CONFIG_DIR, verify the CLI checksum, keep DWS_SERVERS_URL trusted, and require explicit human confirmation before deletes, approvals, paid DING SMS/calls, broad messages, webhook @all sends, report distribution, attendance/contact lookups, and calendar changes.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (20)

Vague Triggers

Medium
Confidence
94% confidence
Finding
The description is extremely broad and generic, claiming it can manage essentially all DingTalk products and using many overlapping keywords in two languages. This can cause the skill to activate for ordinary enterprise productivity requests, increasing the chance that sensitive actions like messaging, contact lookup, or task operations are invoked inappropriately.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The intent-mapping section uses very broad natural-language trigger terms such as '表格/数据/行/查看/修改/删除', which overlap heavily with ordinary user phrasing. In an agent setting, this can cause misrouting into destructive commands like delete/update flows or unintended data queries when casual conversation ambiguously matches these patterns, especially because the skill includes high-impact irreversible operations.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill documents commands to retrieve personal attendance records, summaries, and batch employee shift data, but it provides no guidance on authorization checks, least-privilege use, or privacy handling. In an agent setting, this can normalize or enable access to sensitive employee presence and schedule information without verifying that the requester is allowed to view it.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The intent mapping uses very broad phrases such as '打卡记录/出勤/考勤' and '排班/班次/当班', which can match normal conversation and cause the agent to invoke attendance tools without sufficiently clear user intent. When the underlying commands expose sensitive HR data, accidental invocation increases the risk of privacy violations or overbroad data retrieval.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The intent-mapping section uses broad natural-language triggers like '日程/会议/约会/日历' and '有空吗/忙不忙/闲忙' to route into operational calendar commands. In an agent setting, this can cause unintended invocation of create/update/delete or privacy-sensitive queries from ambiguous conversational phrasing, especially because the same document also defines destructive actions and data-revealing workflows.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
The document includes delete/remove operations for events, participants, and rooms without clearly warning that these commands modify live calendar data and resource bindings. In an automated agent workflow, lack of explicit mutation warnings increases the chance of accidental destructive actions or social-engineered requests being executed without adequate user awareness.

Missing User Warnings

Low
Confidence
78% confidence
Finding
Commands for participant listing and busy-status search expose personal scheduling and availability information, but the document lacks privacy guidance, authorization expectations, or least-privilege boundaries. This makes it easier for an agent to over-collect or disclose sensitive calendar metadata about users without sufficient notice or policy checks.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The documentation exposes a workflow centered on a Webhook Token without clearly treating it as a secret or warning against logging, sharing, or embedding it insecurely. Because possession of the token appears sufficient to send messages, accidental disclosure could enable unauthorized message posting, spoofed alerts, or spam into organizational chat channels.

Missing User Warnings

Low
Confidence
82% confidence
Finding
The skill documents bulk bot messaging and webhook features including broad targeting behaviors, but does not warn about misuse risks such as mass unsolicited messaging, accidental organization-wide notification fatigue, or disruptive @all mentions. In an agent context, missing friction or caution around high-reach messaging increases the chance of harmful but authorized misuse.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The intent mapping uses broad natural-language triggers such as '找人/搜人', '哪个部门', and '部门有谁', which can overlap with ordinary conversation and cause the agent to invoke directory queries without sufficiently specific user intent. In a skill that exposes employee and department lookup actions, accidental triggering can lead to unnecessary access to personal or organizational data.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The document enables searching users by name or mobile number, retrieving user details, and listing department members, but it provides no privacy, authorization, or visibility guidance. In the context of an enterprise contact directory, this omission increases the chance that an agent will expose personal data such as phone numbers, email addresses, user IDs, or org structure to users who are not explicitly authorized or who did not intend to access sensitive directory information.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The trigger phrases include broad natural-language expressions such as “DING 一下”, “紧急通知”, and “电话提醒”, which can overlap with ordinary user conversation and cause unintended invocation of the DING send action. In this skill’s context, accidental activation is more dangerous because the command can send urgent notifications and even place paid SMS/call reminders, creating both disruption and financial cost.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The intent-matching guidance uses broad natural-language triggers such as '查日志/看日报' and '写日报/提交周报/发日志/填日志', which can overlap with ordinary conversation and cause an agent to invoke report operations when the user did not clearly request them. In this skill, that is especially risky because the command set includes both read access to inbox/sent reports and write/send capabilities, so a misfire could expose private work logs or create/send a report unintentionally.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
The documentation explains how to create and optionally send reports to chats or user IDs, but it does not warn that report contents may include sensitive work information or that specifying recipients can disclose that information to others. In the context of an agent skill, omission of privacy and consent safeguards increases the chance that the agent will package user-provided text into a report and distribute it without adequate user awareness or confirmation.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill documents state-changing approval operations (approve, reject, revoke) with no requirement for explicit confirmation, identity verification, or warning that these commands alter business workflow state. In an agent setting, this creates a real risk of unintended or socially engineered execution that can modify approval records and affect leave, reimbursement, or other enterprise processes.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The trigger mapping uses broad terms like '审批/请假/报销/出差' that commonly appear in ordinary conversation and may cause the agent to invoke approval workflows without a clear user request for an operation. Because this skill includes sensitive enterprise approval actions, ambiguous triggering materially increases the chance of unintended access to workflow data or accidental progression toward state-changing commands.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The intent mapping uses very broad trigger phrases such as '记一下', 'TODO', and '看看待办', which can easily overlap with casual conversation rather than an explicit command. In an agent setting, this increases the chance of unintended task creation, listing, modification, or deletion actions being inferred from ambiguous user language, especially because the document encourages direct command selection from these phrases.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The document notes that deletion is irreversible and '建议' using '--yes' with user confirmation, but it does not define a mandatory, consistent confirmation requirement before destructive actions. In an agent workflow, optional confirmation is insufficient because an LLM may execute deletion directly once it matches intent, leading to accidental irreversible loss of todo items.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The trigger phrase "看看应用" is broad enough to match ordinary conversational requests, which can cause the skill to activate when the user's intent is ambiguous or incomplete. In an agent setting, this increases the chance of unintended command execution or data enumeration, especially because the mapped action immediately lists all workbench applications.

Missing User Warnings

Low
Confidence
78% confidence
Finding
The script sends user IDs and a time window to an external CLI to query calendar busy data, but it provides no explicit consent notice, privacy warning, or confirmation before transmitting potentially sensitive scheduling information. In a multi-user scheduling context, this can expose private metadata about participants' availability expectations without adequate transparency.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.