ClawHub

Dingtalk File Send

v1.2.2

Upload and send files to DingTalk users. Auto-detects account from current session. Use when: user asks to send/forward a file/document/PDF/image via DingTalk.

1· 91·0 current·0 all-time
by@kenriou
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
Name and description describe sending files via DingTalk; the SKILL.md only requires curl/jq and access to the OpenClaw config to obtain DingTalk credentials and tokens, which is coherent with that purpose.
Instruction Scope
Instructions explicitly read ~/.openclaw/openclaw.json to extract clientId/clientSecret/robotCode and the optional OPENCLAW_AGENT_ID from environment, then call DingTalk APIs to upload and send files — all actions stay within the declared task but do involve reading local credentials.
Install Mechanism
Instruction-only skill with no install spec and no code files; it requires only common CLI tools (curl and jq) that are expected for the provided shell examples.
Credentials
Access to clientId/clientSecret/robotCode in the OpenClaw config is necessary to obtain an access token and is proportionate to the task; however the registry metadata lists no required env vars while the SKILL.md reads OPENCLAW_AGENT_ID (optional) and the local config, a minor metadata mismatch and a sensitive operation (reads secrets).
Persistence & Privilege
Skill does not request always:true, does not modify other skills, and does not install persistent components; autonomous invocation is allowed (platform default) but not elevated by the skill itself.
Assessment
This skill appears to do what it says: it reads your OpenClaw config (~/.openclaw/openclaw.json) to obtain DingTalk credentials, gets an access token, uploads the file, and sends it. Before installing or running it, verify the skill source (unknown here), inspect the SKILL.md yourself, and confirm the config file only contains accounts you expect. Treat the clientSecret/robotCode as sensitive: only use this skill if you trust it and consider testing in an isolated account or environment first. Also ensure curl/jq on your system are the real binaries (not replaced by malicious wrappers). If you lose confidence in the skill or its origin, rotate the DingTalk credentials referenced in your OpenClaw config.

Like a lobster shell, security has layers — review code before you run it.

latestvk97dxg856cmrqxdhf38pkr2ye183j0nc

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

📤 Clawdis
Binscurl, jq

Comments