DingTalk Channel
Security checks across malware telemetry and agentic risk
Overview
This looks like a legitimate DingTalk connector, but it can act as you in DingTalk and its default-open chat access should be reviewed before use.
Install only if you are comfortable letting OpenClaw act through your DingTalk authorization. Before using it in any company workspace, restrict dmPolicy/groupPolicy with allowlists, keep mention requirements on, require confirmation for destructive actions, and protect the ~/.openclaw credential files.
VirusTotal
VirusTotal engine telemetry is currently stale for this artifact.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If left unchanged, more DingTalk users or groups than intended may be able to prompt the bot to use capabilities tied to the authorized DingTalk account.
The default access policy is open for DMs and groups. For a connector authorized to operate with DingTalk credentials, this is a broad default invocation boundary.
"dmPolicy": { "default": "open", ... }, ... "groupPolicy": { "default": "open", ... }, "requireMention": { "default": true, "type": "boolean" }Before enabling the bot, set dmPolicy and groupPolicy to allowlist or disabled where appropriate, keep requireMention enabled, and restrict allowFrom/groupAllowFrom to trusted users and groups.
Anyone who can read the relevant local OpenClaw files or captured terminal output may obtain DingTalk bot credentials.
The installer writes DingTalk client secrets into the OpenClaw config or a staging file under the user's home directory.
cfg.channels[CHANNEL_ID].clientSecret = clientSecret; ... writeFileSync(getStagingPath(), JSON.stringify({ clientId, clientSecret }, null, 2) + '\n', 'utf-8');Protect the ~/.openclaw directory, remove any leftover .dingtalk-staging.json after setup, and avoid sharing install logs that may include credentials.
A mistaken or prompt-injected request could modify or delete DingTalk workspace data if the agent is allowed to run these commands.
The included command references document irreversible DingTalk business-data mutations. The docs warn about risk, and the capability is aligned with the connector purpose, but it is high impact.
dws aitable base delete --base-id <BASE_ID> --yes ... 高风险操作,不可逆。
Require explicit human confirmation for create/update/delete actions, especially commands using --yes, and limit which tools the bot can use in groups.
Installing the connector gives the package setup code the ability to change files in the local OpenClaw environment.
The recommended setup runs an npm package installer locally. This is expected for this plugin, but it executes package code and modifies local OpenClaw configuration.
npx -y @dingtalk-real-ai/dingtalk-connector install
Install only from the trusted package source, review the package version, and run setup from an account with appropriately limited local permissions.
Conversation history may influence later replies within the same session, so sensitive or malicious chat content could affect future agent behavior.
The channel keeps multi-turn conversation context, while also stating that private and group chats are isolated.
会话管理:多轮对话上下文保持,私聊/群聊会话隔离
Keep conversation isolation enabled, avoid enabling shared memory across conversations unless necessary, and reset sessions after sensitive or suspicious interactions.