dingtalk-cli

Security checks across malware telemetry and agentic risk

Overview

The skill is for a legitimate DingTalk document workflow, but it gives an agent direct read, overwrite, delete, and membership-change authority without clear confirmation boundaries.

Install only if you trust the external dingtalk-cli package and intend to let an agent operate on DingTalk resources. Use least-privilege DingTalk app permissions, protect the saved config file, and require the agent to show the exact workspace, node/document key, target user, and planned change before any overwrite, delete, or member-management command.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Vague Triggers

Medium

Confidence: 80% confidence
Finding: The trigger description is broad and overlaps with common user phrasing about DingTalk docs, knowledge bases, reading/writing documents, and spreadsheets, which can cause the agent to invoke this skill in situations where the user did not clearly request tool use. Because the skill enables sensitive read, write, delete, and membership-management operations against remote DingTalk resources, accidental activation could expose data or cause unauthorized changes.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal