Dingtalk Meetings Skill

Security checks across malware telemetry and agentic risk

Overview

The skill appears to be a legitimate DingTalk calendar assistant, but it requests and documents broader identity and local persistence capabilities than a meeting workflow clearly needs.

Install only if you are comfortable granting DingTalk calendar access and, if enabled, contacts access to your agent. Use the contacts MCP only when attendee lookup is needed, review any MCP config changes, avoid sharing the API URL, and periodically inspect or delete references/contacts.cache if colleague identifiers should not be retained.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (12)

Context-Inappropriate Capability

Medium

Confidence: 93% confidence
Finding: The skill instructs the agent to run shell commands and edit local MCP configuration files across multiple agent environments, which exceeds the core calendar-management function and creates a path to modify the user's local environment. Even though the goal is setup convenience, accepting a user-supplied URL with embedded API key and writing it into config files can expose secrets, alter unrelated tooling behavior, or enable unsafe local side effects if the skill is triggered in the wrong context.

Context-Inappropriate Capability

Medium

Confidence: 91% confidence
Finding: The skill defines a persistent local cache of contact names and user IDs in a file under references/, storing personal identifiers beyond what is necessary for a single calendar transaction. This creates unnecessary local retention of sensitive organizational identity data, which could be exposed to other tools, users, backups, or accidental disclosure, especially because the data is persisted by default.

Intent-Code Divergence

Medium

Confidence: 82% confidence
Finding: The skill states it is not responsible for enterprise member management, but later directs the agent to maintain a local mapping of employee identifiers. This inconsistency can mislead users and reviewers about the actual data handling behavior, weakening informed consent and increasing the chance that identity data is processed or retained without appropriate scrutiny.

Description-Behavior Mismatch

High

Confidence: 95% confidence
Finding: The skill documentation exposes broad contacts and org-directory capabilities far beyond the stated purpose of calendar and meeting operations, including profile, department, following-list, and QR-code queries. In a meeting skill context, this over-privileged surface materially increases the risk of unnecessary collection, enumeration, and disclosure of employee data if the agent is prompted or manipulated to use these tools.

Context-Inappropriate Capability

High

Confidence: 97% confidence
Finding: Access to the current user's DingTalk QR-code information has no direct relationship to scheduling meetings and can expose identity or account-linking artifacts that may be abused for tracking, impersonation workflows, or unauthorized sharing. Because the skill is framed as a calendar assistant, users are less likely to expect this level of identity-data access, making misuse more dangerous.

Context-Inappropriate Capability

Medium

Confidence: 88% confidence
Finding: The 'special followings' list is unrelated to core calendar operations and reveals relationship or preference metadata about the user. That information could be mined for social graph inference, targeting, or profiling without a legitimate scheduling need.

Context-Inappropriate Capability

Medium

Confidence: 92% confidence
Finding: Department enumeration and bulk member listing exceed the minimum needed to resolve a few meeting attendees and enable large-scale harvesting of organizational structure and employee identities. In the context of a scheduling skill, this creates an unnecessary reconnaissance surface that could be abused for directory scraping or broad unauthorized participant discovery.

Context-Inappropriate Capability

Medium

Confidence: 84% confidence
Finding: Fetching the current user's full profile, including organizational and potentially sensitive attributes, is broader than what is required for most calendar actions. In a meeting skill, unnecessary access to profile details increases privacy exposure and can support profiling or downstream misuse if prompts cause the agent to disclose or reuse that data.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The README explicitly advertises destructive actions such as modifying, deleting, and canceling calendar events, but provides no warning, confirmation requirement, or safety guidance for high-impact operations. In a skill that can act on a user's real DingTalk calendar and meetings, this omission can lead to accidental or overly broad destructive actions, especially when natural-language requests are ambiguous.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The contact cache persists names and user IDs to a local file, but the documentation does not clearly warn users that personal data will be stored on disk and reused later. This is dangerous because users may provide colleague names for one task without realizing the agent will create a durable local identity database, creating privacy, compliance, and data minimization concerns.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The documented contacts features include access to mobile numbers and personal profile information, yet the file provides no privacy warning, purpose limitation, or handling guidance. In a meeting assistant context, omission of these safeguards makes it easier for the agent to over-collect or disclose sensitive employee data during ordinary scheduling tasks.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The skill documents operations that can change calendar sharing and access-control state without stating that user confirmation is required or explaining the impact. In practice, this can lead to accidental privilege grants or revocations, exposing calendar contents or disrupting collaboration through a single ambiguous prompt.

VirusTotal

57/57 vendors flagged this skill as clean.

View on VirusTotal