ClawHub

DingTalk Integration

Security checks across malware telemetry and agentic risk

Overview

This DingTalk skill matches its stated purpose, but it can act in a real workplace account and exposes token-checking without enough user-facing safeguards.

Review carefully before installing. Use a dedicated least-privilege DingTalk app, store the App Secret only in secure environment or secret management, avoid exposing token outputs in prompts or logs, and require human confirmation of recipients, message contents, and group membership before allowing the skill to act in a real DingTalk workspace.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (7)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill requires secrets via environment variables and clearly performs outbound DingTalk operations, but the manifest does not explicitly declare permissions for sensitive capabilities like network access and secret/env usage. This weakens platform-level transparency and consent, making it easier for users or hosting systems to run a skill with broader capabilities than are visibly declared.

Tp4

High
Category
MCP Tool Poisoning
Confidence
84% confidence
Finding
The documented purpose focuses on messaging, groups, and workflow automation, but the behavior also includes listing accessible chats and fetching/exposing access-token-related information. Undisclosed data-access and token-handling behavior increases the risk of oversharing sensitive metadata or enabling misuse beyond the user's expected scope.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The skill exposes a dedicated tool, dingtalk_get_token, that retrieves a live DingTalk access token and returns part of it to the caller. Even though it truncates the token in the response, exposing token retrieval functionality is unnecessary for the stated messaging/chat features and materially increases the chance of credential misuse, debugging leakage, or future full-token exposure through small code changes.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill enables real-world actions such as sending messages, modifying groups, and sending webhook notifications, yet it does not prominently warn users that these operations affect live DingTalk users, chats, and external systems. In an agent setting, insufficient disclosure can lead to accidental spam, unauthorized group changes, or unintended business workflow triggers.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The tool can create external DingTalk group chats directly from an agent invocation without any confirmation, approval gate, or user-facing warning that it will modify collaboration state. This can lead to unintended creation of chats, accidental disclosure through added participants, or abuse by prompt injection that causes unauthorized external actions.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill directs users to send messages, create chats, and manage group membership in an external service without warning that message contents, user identifiers, and membership data may be transmitted outside the current system. This omission can lead users to share sensitive or regulated data without understanding the privacy, compliance, or data-governance consequences.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The instructions tell users to configure DINGTALK_APP_ID and DINGTALK_APP_SECRET but do not emphasize that these are sensitive credentials requiring secure storage and restricted access. This increases the risk of credential leakage through logs, code repositories, screenshots, or insecure environment management, which could enable unauthorized API access.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal