ClawHub

DingTalk CLI Auto

Security checks across malware telemetry and agentic risk

Overview

This DingTalk automation skill appears legitimate, but it has unsafe command execution and broad access to credentials, calendar data, and contact information that should be reviewed before use.

Install only if you trust the publisher and can review or patch the command wrapper first. Avoid using real DingTalk credentials until shell execution is replaced with argument-array spawning, do not paste secrets into commands, verify the dws binary source, and require confirmations before deleting calendar events or printing bulk contact data.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (8)

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The code builds a shell command by concatenating `dwsPath`, `command`, and `args` into a single string and passes it to `execSync`, which invokes a shell. If any of those values are influenced by untrusted input, this enables command injection and arbitrary OS command execution; the same path also forwards credential environment variables to the spawned process, increasing blast radius. The lack of clear skill metadata or constraints makes this more dangerous because there is no documented justification or trust boundary for subprocess execution.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill documents sending robot messages using a raw webhook URL and secret without any warning about credential sensitivity or risks of posting data to external endpoints. If users paste real webhook tokens or secrets into commands, they may leak credentials via shell history, logs, screenshots, or process listings, enabling unauthorized message sending and data disclosure.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The library explicitly passes `DWS_CLIENT_ID` and `DWS_CLIENT_SECRET` into the subprocess environment, exposing secrets to any executed binary at `dwsPath`. If `dwsPath` is replaced, attacker-controlled, or combined with command injection elsewhere in the wrapper, those credentials can be exfiltrated silently. In this context, the issue is amplified because the same component is responsible for launching external commands without strong trust controls.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The delete command performs a destructive action immediately after receiving an ID, with no confirmation prompt, dry-run mode, or other safeguard against operator mistakes. In a CLI that manages real calendar data, accidental invocation, shell history reuse, or scripting mistakes can permanently delete events and disrupt schedules.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The CLI prints contact names, IDs, departments, phone numbers, and email addresses directly to stdout. In a contact-management tool this may be intended behavior, but it still creates a real data-exposure risk because terminal output is commonly captured in shell history, logs, CI output, screen recordings, or shared sessions without any masking or warning.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
Listing department members and printing their phone numbers exposes personal contact data for an entire group at once, increasing the blast radius versus a single-record lookup. In administrative or shared environments, this output could be harvested from terminal logs or used for internal directory scraping.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
Dumping the full user-detail object to stdout risks disclosing any sensitive fields returned by the backend, including fields the script author may not have anticipated. Because the entire response is serialized without filtering, future API changes could silently expand the exposed data set.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
Printing the full current-user profile is still a disclosure issue, but the risk is somewhat lower because it is limited to the invoking user's own record rather than arbitrary directory entries. However, stdout capture and overbroad field exposure remain concerns, especially if tokens, identifiers, or internal attributes are included in the returned object.

VirusTotal

No VirusTotal findings

View on VirusTotal