Dingtalk Attendance
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill matches its DingTalk attendance purpose, but it needs review because it uses enterprise DingTalk credentials to read employee attendance data and automatically stores named results locally without clear retention controls.
Install only if you are authorized to access company DingTalk attendance data. Use a least-privileged DingTalk app, review the Python script, keep AppSecret values secure, confirm queries before retrieving broad employee data, and periodically delete or protect the generated cache.db/history data.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If installed in an environment with these variables, the agent may be able to retrieve sensitive company attendance information using enterprise-level DingTalk access.
These are enterprise DingTalk application credentials and admin identity data used to access attendance records, while the registry metadata declares no required env vars or primary credential. The artifacts do not clearly bound which employees/departments may be queried or how requester authorization is checked.
查询钉钉打卡数据需要以下环境变量,请先设置: - `DINGTALK_APPKEY` — 钉钉企业内部应用的 AppKey - `DINGTALK_APPSECRET` — 钉钉企业内部应用的 AppSecret - `ADMIN_PHONE` — 管理员手机号
Use a least-privileged DingTalk app, declare the credentials in metadata, restrict accessible departments/users, and require explicit user authorization before querying sensitive attendance data.
Employee attendance exceptions can remain on the local machine and be reused in later analyses, creating privacy and access-control concerns.
The script creates a persistent local SQLite database containing employee names, user IDs, attendance result types, counts, and query timestamps. The artifacts do not show retention limits or deletion controls for attendance_history.
DEFAULT_CACHE_DB_PATH = os.path.join(os.path.dirname(os.path.abspath(__file__)), "cache.db") ... CREATE TABLE IF NOT EXISTS attendance_history ( work_date TEXT NOT NULL, user_id TEXT NOT NULL, user_name TEXT NOT NULL, result_type TEXT NOT NULL, count INTEGER NOT NULL, queried_at REAL NOT NULL
Add clear retention and cleanup behavior, an opt-out or no-cache mode, file permission guidance, and preferably encryption or storage outside the shared skill directory.
A normal attendance question may cause a DingTalk API query and create or update local cached attendance records.
The agent is instructed to choose between local history and live DingTalk API calls, and live calls automatically save results. This is purpose-aligned, but users should understand that a matching request can trigger external API access and local writes.
如果目标日期不在历史记录中,不加 `--history` 正常查询(会自动保存)
Ask for confirmation before live API queries or automatic caching, especially for broad date ranges or all-employee queries.
Users may not realize before installation that the skill runs local Python code and needs DingTalk credentials.
The packaging metadata under-declares the runtime and credential expectations shown in SKILL.md and the Python script. This is a provenance/setup transparency issue, not direct evidence of malicious behavior.
Source: unknown; Homepage: none; Required env vars: none; Primary credential: none; Install specifications: No install spec — this is an instruction-only skill.
Publish source/provenance information and declare required binaries, dependencies, environment variables, and credentials in the registry metadata.