DingTalk OpenAPI Skill
ReviewAudited by ClawScan on May 1, 2026.
Overview
This is a coherent DingTalk messaging helper, but it needs DingTalk app credentials and can send messages, so users should verify recipients, content, and the schema source before use.
Install only if you want the agent to perform DingTalk user lookup and bot/service-group messaging. Before use, configure a least-privileged DingTalk app token, confirm every message send, verify recipients and content, and consider using a pinned or local OpenAPI schema instead of the mutable remote URL.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If used carelessly, the agent could send an unintended message to DingTalk users or groups.
The skill can perform outbound DingTalk message sends, which can affect real users or groups, but it labels them high-risk and requires confirmation.
All three send operations are high-risk writes. Require explicit user confirmation before execution.
Confirm every send operation, review recipients and message content, and avoid allowing unattended message sends.
Anyone or any agent with access to the configured credential could act through the DingTalk app for the allowed messaging APIs.
The skill requires DingTalk app credentials or a bearer access token, giving the agent delegated authority for the configured DingTalk app.
A DingTalk app `appKey` + `appSecret`, or a current `accessToken` if you are using the manual fallback path.
Use a least-privileged DingTalk app or bot credential, store secrets through environment variables or UXC credential storage, and rotate or remove credentials when no longer needed.
A changed remote schema could alter what operations the linked CLI exposes under the same DingTalk credential.
The default link command fetches the API schema from a mutable GitHub `main` branch URL, so the effective API surface could change if that remote file changes.
uxc link dingtalk-openapi-cli https://api.dingtalk.com/v1.0 --schema-url https://raw.githubusercontent.com/holon-run/uxc/main/skills/dingtalk-openapi-skill/references/dingtalk-messaging.openapi.json
Prefer the bundled schema or a pinned commit/tag URL, and review schema changes before relinking the CLI.