Back to skill

Security audit

Dingtalk Auto Reply

Security checks across malware telemetry and agentic risk

Overview

This skill is clearly for DingTalk automation, but it can persist in the background and send business chat replies as the user, so it should be reviewed carefully before use.

Install only if you intentionally want a background DingTalk assistant that can read unread chats and send replies as you. Start with DRY_RUN, verify the exact scripts from the source repo before running them, confirm DingTalk send permissions, check any Startup launcher or PATH changes, and use skip lists plus audit logs before enabling real automatic replies.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
92% confidence
Finding
The trigger description uses broad natural-language phrases like '钉钉自动回复/钉钉代回/监听钉钉未读+AI回复', which can match ordinary user requests and cause the skill to activate in situations where the user did not intend autonomous message handling. Because this skill can monitor unread chats and send replies on the user's behalf, over-broad triggering materially increases the chance of unintended activation and unauthorized outbound communication.

Missing User Warnings

High
Confidence
97% confidence
Finding
The skill introduces itself as '钉钉自动回复(未读监控 → AI 代复 → 微信通知)' and immediately describes autonomous boss-style replying, but does not present a prominent up-front warning that it may send messages as the user. In this context, the capability is especially sensitive because the skill performs high-risk external actions, impersonates the user/boss persona, and can affect real business communications if activated without clear informed consent.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.