Back to skill

Security audit

Ding Skills

Security checks across malware telemetry and agentic risk

Overview

The package is a broad DingTalk automation skill, not the web-scraping skill described in its listing, and it can change business messages, approvals, calendars, meetings, and documents.

Install only if you intentionally want DingTalk organization automation, not Crawl4AI web scraping. Use a least-privilege DingTalk app, review the required API scopes, and require human confirmation before sending messages, approving or rejecting workflows, deleting events, canceling meetings, or overwriting documents.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Vague Triggers

High
Confidence
98% confidence
Finding
The skill is configured to trigger on essentially any mention of DingTalk or any message originating from a DingTalk channel, which creates excessive activation and privilege scope. In a skill that can search employee data, send messages, manage approvals, schedule meetings, and overwrite documents, broad automatic invocation increases the chance of unintended high-impact actions, data exposure, or cross-context misuse.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill documents destructive and high-impact actions such as sending messages, approving/refusing workflows, transferring tasks, cancelling meetings, deleting events, and overwriting documents without requiring warnings, authorization checks, or confirmation prompts. In this enterprise context, those operations can directly alter business records, communications, calendars, and knowledge base content, making accidental or manipulated execution especially dangerous.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script performs an approval or rejection action immediately after parsing arguments, with no explicit confirmation step, dry-run, or warning for a potentially irreversible workflow operation. In an agent/automation context, this increases the risk of accidental execution, misuse through incorrect parameter passing, or unintended approvals/rejections triggered by upstream prompt or tool misuse.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The script directly invokes a state-changing approval-task transfer API using caller-supplied identifiers, but provides no interactive confirmation, dry-run mode, or safeguard before changing workflow ownership. In an agent/automation context, this increases the chance of accidental or unauthorized reassignment of approval tasks, which can disrupt business processes and weaken approval integrity.

VirusTotal

61/61 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.