ClawHub

DingTalk Skills

Security checks across malware telemetry and agentic risk

Overview

This DingTalk skill matches its stated purpose, but it gives an agent broad real-world company powers without enough built-in confirmation or scoping safeguards.

Install only if you intend to let an agent operate against a real DingTalk organization. Use a least-privilege DingTalk app, avoid approval/calendar/document scopes unless needed, keep app secrets and robot codes out of logs, and manually confirm recipients, approval IDs, event IDs, meeting IDs, workspace IDs, and document contents before any send, approve, reject, delete, cancel, transfer, or overwrite action.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (7)

Vague Triggers

High
Confidence
95% confidence
Finding
The trigger condition is extremely broad and effectively claims any DingTalk-related request, increasing the chance the agent invokes this skill when the user did not intend to perform enterprise actions. In this skill, accidental invocation is especially risky because it exposes powerful capabilities such as messaging, approval handling, calendar changes, and document overwrite operations.

Missing User Warnings

High
Confidence
97% confidence
Finding
The skill documents many high-impact actions—sending messages, approving/rejecting workflows, deleting events, canceling meetings, and overwriting documents—without requiring user confirmation, scope validation, or step-up checks. In an enterprise DingTalk context, a mistaken or manipulated instruction could directly alter records, communications, approvals, and knowledge-base content.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The skill instructs operators to configure sensitive credentials and identifiers in environment variables but does not warn that these values are secrets or provide handling requirements. While environment variables are common, omission of secret-management guidance increases the likelihood of accidental disclosure through logs, screenshots, shell history, or insecure deployment practices.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The manifest advertises a broad, full-featured DingTalk skill set spanning user management, messaging, approvals, meetings, schedules, and document operations, but it does not document any activation boundaries, least-privilege scope, or trigger constraints. In an agent context, this increases the chance of overbroad invocation and unauthorized high-impact actions such as messaging users, modifying approvals, deleting calendar events, or overwriting documents if downstream controls are weak or misconfigured.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
This script performs an approval or rejection action immediately once invoked with valid arguments, with no interactive confirmation, dry-run mode, or secondary validation for a potentially irreversible workflow decision. In an agent or automation context, this increases the risk of accidental or unauthorized approval execution from malformed prompts, parameter confusion, or unsafe chaining of tools.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The script accepts an arbitrary unionId and directly retrieves that user's primary calendar events, which are highly privacy-sensitive. There is no visible authorization check, ownership validation, or explicit user-consent disclosure in this code path, so if the surrounding token has broad calendar scope this enables unauthorized access to another user's schedule data.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
This script fetches and emits employee resignation records, which are HR-sensitive data, without any built-in warning, access-control check, masking, or confirmation step before output. In an agent skill context, that increases the risk of accidental overexposure to logs, downstream tools, or unauthorized operators who may invoke the script with valid platform credentials.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal