ClawHub

DingTalk API

Security checks across malware telemetry and agentic risk

Overview

This DingTalk API skill appears legitimate, but it can read employee/workflow data and change approval workflows with app credentials, so it needs careful review before use.

Install only if you control the DingTalk app credentials and can restrict its permissions. Use a dedicated least-privilege app, avoid enabling approval-write scopes unless required, require human confirmation before messaging or approval actions, and avoid --debug in shared logs because responses may contain employee or workflow data.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (32)

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill requires sensitive environment variables (`DINGTALK_APP_KEY` and `DINGTALK_APP_SECRET`) but does not declare corresponding permissions or clearly scope its access. This creates a transparency and governance gap: an agent or operator may invoke a skill with credential access they did not realize was needed, increasing the chance of unauthorized API use or accidental exposure of enterprise capabilities.

Tp4

High
Category
MCP Tool Poisoning
Confidence
98% confidence
Finding
The declared purpose emphasizes search, lookup, messaging, and resignation queries, but the skill also supports OA approval management actions such as creating, approving, transferring, commenting on, and terminating approval instances. This mismatch is dangerous because it hides state-changing administrative functions behind a benign-seeming description, which can lead to unintended business workflow manipulation and unauthorized use in enterprise environments.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The manifest description omits OA approval management even though the documentation advertises full approval querying and action capabilities. In practice, this under-disclosure can mislead users, reviewers, and policy systems into treating the skill as informational when it can alter approval workflows and business records.

Description-Behavior Mismatch

Low
Confidence
89% confidence
Finding
The skill presents itself mainly as a query and messaging tool, but it also includes HR monitoring functions such as inactive-user and resigned-employee queries, plus broad personnel detail retrieval. That discrepancy increases privacy and insider-risk concerns because operators may not appreciate that the skill exposes sensitive employee-status and organizational data beyond basic directory lookup.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The package description and provided skill metadata understate the actual capability surface by omitting OA approval management actions that the scripts expose, including creating, terminating, executing, transferring, and commenting on approvals. In an agent skill, inaccurate capability disclosure can mislead operators and downstream policy systems, increasing the chance that a user or orchestrator invokes sensitive workflow actions without appropriate scrutiny or authorization expectations.

Description-Behavior Mismatch

High
Confidence
94% confidence
Finding
The script performs an approval-workflow action (adding comments to a process instance) that is not disclosed in the stated skill description. Undocumented write-capabilities are dangerous because users or orchestrators may trust the skill as read-oriented plus messaging, while it can also mutate approval records using app credentials, creating a permission and transparency gap that could be abused for unauthorized workflow manipulation or misleading audit trails.

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
The script can create approval workflow instances, which is a state-changing administrative action, but this capability is not declared in the skill metadata. That mismatch is dangerous because users, reviewers, or calling systems may believe the skill is limited to directory lookup and messaging while it can actually initiate business workflows on DingTalk with the app's privileges.

Context-Inappropriate Capability

High
Confidence
94% confidence
Finding
The code invokes DingTalk workflow APIs to create process instances, which is inconsistent with the advertised skill purpose of contacts, messaging, and resignation queries. In this context, the hidden approval capability is more dangerous because it expands the trust boundary: an operator may grant or run the skill expecting read-oriented/admin-lite behavior while it can submit approvals that trigger downstream business actions.

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
This script performs DingTalk approval workflow actions (agree/refuse) even though the declared skill scope only covers user/department lookup, messaging, group bot listing, and resigned-employee queries. That hidden capability materially expands the skill’s privileges into high-risk business process manipulation, enabling unauthorized approval or rejection of workflow items if the script is exposed or invoked by an agent with app credentials.

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
The script adds a capability to retrieve approval instance details, including form values, task data, and operation records, which can contain sensitive workflow and personnel information. This capability is not disclosed in the skill manifest, so users and reviewers may not expect the skill to access approval records, creating a transparency and overreach issue that can enable unauthorized data exposure if invoked.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The script adds a workflow approval-count query capability that is not declared in the skill manifest, creating a hidden data-access surface. Undocumented functionality is dangerous because it can bypass user and reviewer expectations, and in this case it exposes employee workflow metadata that may be sensitive in enterprise environments.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The script adds functionality to enumerate inactive users, which is sensitive employee-status data, but this capability is not reflected in the declared skill description. That mismatch can bypass reviewer and user expectations, expanding the skill's effective data-access scope and increasing the risk of unauthorized HR-related data discovery or misuse.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The script adds approval-workflow data access for a user's CC'd approval records, which is not described in the stated skill capabilities. That mismatch expands the effective permission/data surface and can surprise reviewers or downstream users, especially because approval metadata may contain sensitive business process information. In a security review, undocumented sensitive-data access is a real issue even if it uses legitimate DingTalk APIs.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The script adds approval/workflow querying functionality that is not declared in the skill manifest, which creates a capability mismatch between what reviewers/users expect and what the skill can actually do. Because approval records may contain sensitive business process metadata and personal information, this hidden or undocumented capability increases the risk of unauthorized data access and weakens governance, consent, and review controls.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The script adds a destructive workflow capability—terminating approval instances—that is not described in the skill metadata, which only mentions user/department queries, messaging, bot listing, and resigned employee queries. Hidden or undeclared privileged actions are dangerous because an agent or operator may invoke them without realizing the skill can modify business workflows, enabling unauthorized cancellation of approvals.

Context-Inappropriate Capability

High
Confidence
96% confidence
Finding
This code performs a workflow-modifying action by calling terminateProcessInstanceWithOptions, which can revoke or terminate approval processes. Because the skill's stated purpose does not include approval administration, this creates an unexpected privileged action surface that could be abused to disrupt internal approvals, bypass business controls, or sabotage operations.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
This script adds a sensitive approval-workflow action—transferring approval tasks—that is not disclosed in the skill metadata, creating a capability mismatch between advertised and actual behavior. Hidden workflow reassignment can be abused to reroute approvals to unauthorized users, bypass expected review chains, or enable social/operational fraud, especially because the script accepts arbitrary instance and user IDs and performs the action directly with application credentials.

Context-Inappropriate Capability

High
Confidence
95% confidence
Finding
The code implements direct approval workflow reassignment even though the stated skill purpose is user/department lookup, messaging, bot listing, and resigned-employee queries. In this context, task transfer is unusually dangerous because it can alter business approval flows and move decision authority to another account, which may enable unauthorized approvals or concealment of accountability if exposed through an agent skill.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The type declarations include broad workflow approval APIs such as creating, terminating, and executing approval tasks, while the stated skill description focuses on user/department lookup, robot messaging, group bot listing, and resigned employee queries. This creates a capability/manifest mismatch that can mislead downstream tooling or reviewers and may enable unintended high-impact actions like approving or terminating business workflows if the implementation exposes these methods.

Vague Triggers

Medium
Confidence
85% confidence
Finding
The release workflow is triggered by a very broad condition: when the user 'requests to publish code'. In an agent setting, ambiguous phrasing can cause the skill to perform sensitive actions such as version bumps, commits, pushes, and publication without sufficiently explicit user confirmation, increasing the risk of unintended release activity.

Missing User Warnings

High
Confidence
95% confidence
Finding
The document instructs the agent to automatically run git add/commit/push and an external publishing command, but provides no warning, approval gate, or scope limitation for these irreversible networked actions. In a skill capable of acting on user requests, this can lead to unintended source code disclosure, unauthorized remote changes, or accidental public release of code and metadata.

Missing User Warnings

Medium
Confidence
81% confidence
Finding
The README advertises access to sensitive personnel data and workflow operations such as user lookup, department enumeration, resigned employee records, and approval management, but provides no privacy, authorization, or least-privilege guidance. In an agent skill context, this increases the risk that integrators grant broad capabilities without understanding the compliance and access-control implications, enabling overcollection or misuse of employee and workflow data.

Missing User Warnings

Medium
Confidence
85% confidence
Finding
The README documents externally visible and potentially irreversible actions such as sending messages, creating approvals, terminating approvals, approving/rejecting tasks, and transferring tasks without warning users about side effects. In an agent-integrated environment, unclear documentation can cause accidental execution of business actions affecting employees, chats, and approval workflows.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
Documenting a --debug mode that shows full API responses without warning can lead operators to expose sensitive data such as employee details, identifiers, approval contents, or tokens in logs, terminals, or shared CI output. In this skill's context, full DingTalk responses may contain HR and workflow information, making inadvertent disclosure more serious.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill documents capabilities that can send messages, query employee PII, inspect HR status, and modify approval workflows, but it provides no warning that these are sensitive or state-changing operations. Without such signaling, users or agent orchestrators may invoke powerful enterprise actions without informed consent, increasing the risk of privacy violations, spam, workflow tampering, or misuse of privileged APIs.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal