DingTalk API
WarnAudited by ClawScan on May 10, 2026.
Overview
This is mostly a DingTalk API wrapper, but it under-declares powerful enterprise credentials and exposes high-impact message and approval actions without clear safety boundaries.
Install only if you intend the agent to access your DingTalk enterprise app. Use a dedicated least-privilege DingTalk application, set clear rules that the agent must ask before sending messages or changing approvals, verify the package source/dependencies, and avoid using debug mode with sensitive employee or approval data.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A powerful DingTalk app secret could allow the agent to act within the company account, including approval workflow actions, if the app has those permissions.
The script uses app-level DingTalk credentials and a caller-supplied userId to perform approval actions; registry metadata declares no required env vars or primary credential.
const appKey = process.env.DINGTALK_APP_KEY; const appSecret = process.env.DINGTALK_APP_SECRET; ... actionerUserId: userId, result: result,
Declare the required credentials and exact DingTalk scopes, use a dedicated least-privilege app, and require explicit user confirmation before any action that acts for a user or changes approvals.
A mistaken or autonomous invocation could send messages or change business approval outcomes in DingTalk.
The documented workflows directly terminate or approve/refuse business approval instances; the artifacts do not show a confirmation, preview, dry-run, or rollback requirement.
npm run terminate-approval-instance -- "xxx-123" "user001" --remark "撤销原因" npm run execute-approval-task -- "xxx-123" "user001" "agree" --remark "同意"
Add mandatory confirmation steps, preview the target user/group/approval before execution, and separate read-only commands from mutating commands.
If an agent consumes this file as instructions, a publish-related request could trigger repository and ClawHub publishing operations unexpectedly.
A released DingTalk API skill includes agent-facing development instructions to automatically commit, push, and publish code, which is outside the stated DingTalk API purpose.
用户要求发布代码时,自动执行以下步骤: ... git add/commit/push 到 GitHub,然后 `clawhub publish` 发布到 ClawHub
Remove development-only CLAUDE.md instructions from the published skill or require explicit human confirmation for every git push and ClawHub publish step.
Users have less registry-level information for verifying where the code came from and how it should be installed.
The package includes TypeScript scripts and npm dependencies, but the registry does not provide a source/homepage or install spec. This is a provenance and reviewability gap, not evidence of malicious behavior.
Source: unknown Homepage: none Install specifications: No install spec — this is an instruction-only skill.
Verify the package source before use and prefer a release with declared repository, install steps, dependencies, and credential requirements.
Employee details, approval content, and organization data could be exposed to anyone who can see the agent transcript or debug output.
The skill retrieves employee personal and organizational data that may enter the agent conversation context or logs; this is purpose-aligned but sensitive.
获取指定用户的详细信息,包括姓名、手机号、邮箱、部门列表等。
Limit queries to necessary users/departments, avoid debug output unless needed, and treat returned DingTalk data as confidential.