Back to plugin

Security audit

DingTalk Channel

Security checks across malware telemetry and agentic risk

Overview

This looks like a legitimate DingTalk connector, but it can act as you in DingTalk and its default-open chat access should be reviewed before use.

Install only if you are comfortable letting OpenClaw act through your DingTalk authorization. Before using it in any company workspace, restrict dmPolicy/groupPolicy with allowlists, keep mention requirements on, require confirmation for destructive actions, and protect the ~/.openclaw credential files.

VirusTotal

VirusTotal engine telemetry is currently stale for this artifact.

View on VirusTotal

Static analysis

Detected: suspicious.exposed_secret_literal

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
dist/accounts-CF4oK_HZ.mjs:218
Evidence
const clientSecret = [REDACTED](cfg?.clientSecret, "channels.dingtalk-connector.clientSecret");

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
dist/connection-BZd5NXuh.mjs:62
Evidence
clientSecret: [REDACTED],

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
dist/runtime-f4Rv6Wna.mjs:108
Evidence
clientSecret: [REDACTED]().optional(),

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
src/channel.ts:72
Evidence
...(creds?.clientSecret && { DWS_CLIENT_SECRET: [REDACTED] }),

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
src/config/accounts.ts:166
Evidence
const clientSecret = [REDACTED](cfg?.clientSecret, "channels.dingtalk-connector.clientSecret");

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
src/config/schema.ts:99
Evidence
clientSecret: [REDACTED]().optional(),

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
src/core/connection.ts:145
Evidence
clientSecret: [REDACTED],

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
src/device-auth.ts:162
Evidence
clientSecret: [REDACTED],

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
src/onboarding.ts:308
Evidence
clientSecret: [REDACTED],