ClawHub

Openclaw Channel Dingtalk

Security checks across malware telemetry and agentic risk

Overview

This DingTalk integration is mostly coherent, but it includes persistent hidden learning rules, forced replies, and broad message logging/storage that should be reviewed before install.

Install only if you are comfortable granting this plugin DingTalk bot credentials, message send capability, DingTalk docs access through gateway methods, local persistent storage, and owner-controlled learning rules. Before using it in production, restrict ownerAllowFrom, prefer allowlists for DM/group access, keep learningEnabled and learningAutoApply off unless needed, avoid file-based secrets unless the config is trusted, and do not enable debug logging for sensitive conversations.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (16)

Context-Inappropriate Capability

High
Confidence
96% confidence
Finding
The plugin exposes owner-triggered learning and rule-injection features that can persistently alter future model behavior across sessions, targets, or globally. In practice this is a prompt/policy persistence mechanism embedded in a messaging channel, which creates a powerful avenue for unsafe instruction injection, accidental misconfiguration, or abuse by anyone who gains owner-equivalent access.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The plugin scans local OpenClaw session files under the user's home directory to preload peer IDs, which reaches outside the plugin's immediate channel scope and touches unrelated local state. Even though it appears intended for convenience, it increases privacy exposure and broadens the blast radius if the plugin is compromised or behaves unexpectedly.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The code explicitly supports administrator-supplied rules of the form “when user asks X, must answer Y”, then stores them as enabled manual rules with triggerText and forcedReply. This creates a deterministic response-substitution mechanism that can override normal model behavior and be used to inject deceptive, unsafe, or policy-violating outputs unrelated to the original application purpose.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
resolveManualForcedReply normalizes user input and returns a stored forcedReply on exact trigger match, enabling hidden deterministic substitution of responses. Because this happens based on persisted manual rules and not transparent user-visible logic, it can be used to silently alter outputs, spread misinformation, or embed backdoor behavior for specific prompts.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The generated learning context tells the model to prioritize hidden learned rules over default reasoning and to conceal their source from the user. This is dangerous because persisted or manually added instructions can silently override baseline safeguards or expected behavior, reducing transparency and making abusive prompt injection or policy evasion harder to detect.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The code and comment imply data is masked for safe logging, but `maskSensitiveData` only redacts two exact field names: `token` and `accessToken`. Error payloads may still contain other secrets or PII such as refresh tokens, authorization headers, phone numbers, emails, IDs, cookies, app secrets, or nested sensitive values in arrays, which can then be serialized into logs and exposed to operators or anyone with log access.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The code logs the full streaming request payload, including card content, outTrackId, and a generated guid, at debug level. If debug logs are enabled in production or accessible to operators, this can expose user message contents and tracking identifiers to log sinks and anyone with log access, creating a privacy and data-leak risk.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
Pending card state is written to persistent storage and includes lastContent and lastBlockListJson, which may contain full user or model-generated message content. Storing this data without minimization, encryption, or retention controls increases the chance of local data disclosure through filesystem access, backups, or crash-recovery artifacts.

Missing User Warnings

Medium
Confidence
81% confidence
Finding
This code persists feedback events and links them to reply snapshots and identifiers, but shows no visible notice, consent, minimization, or retention controls at the point of collection. That creates a privacy/compliance risk because user interaction data is stored for learning purposes without any evident disclosure or limitation in this component.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The card callback handler logs the full raw callback payload, which can include user identifiers, action metadata, workflow context, or other sensitive content originating from DingTalk interactions. Persisting entire callback bodies to logs increases the risk of privacy leakage and secondary exposure through log aggregation, debugging systems, or support access, especially because this gateway processes live inbound events across accounts.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The onboarding flow initiates an external device-registration/authorization process and polls for completion, but the user-facing note only tells the operator to open the authorization page and scan the code. It does not explicitly disclose what data is transmitted to external services, what account/app will be created or linked, or the trust boundary involved, which can lead to unintended credential provisioning and privacy/compliance issues during setup.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The code accepts a `file` secret reference and reads the referenced path from local disk at runtime, with no allowlist, base-directory enforcement visible in this file, or user-facing disclosure/confirmation. In an agent/plugin setting where configuration may be influenced by untrusted inputs, this can expose arbitrary local files as secrets and cross a clear trust boundary.

Ssd 3

Medium
Confidence
93% confidence
Finding
The service persistently stores full questions and answers in outbound reply snapshots for later learning. Since natural-language conversations often contain sensitive personal, business, or credential-like information, this retention expands the blast radius of any storage compromise, misuse, or overbroad internal access.

Ssd 3

Medium
Confidence
91% confidence
Finding
Feedback events and reflection records preserve prior question/answer context, user signals, and inferred diagnoses for later reuse. This compounds privacy and data-leak risk because sensitive user content can be duplicated across multiple persistence layers and then reintroduced into future prompts or exposed through administrative tooling.

Ssd 1

Medium
Confidence
92% confidence
Finding
This service explicitly supports owner-authorized natural-language rule injection via commands like /learn global, /learn session, and target-scoped variants. Even though restricted to owners, these instructions are persisted and later used to steer model behavior across conversations, creating a powerful prompt-injection/control plane that can be abused if owner accounts are compromised, misconfigured, or socially engineered.

Ssd 4

Medium
Confidence
90% confidence
Finding
The feature set combines identity discovery (/learn whoami, whereami), target enumeration/listing, and targeted rule deployment to conversations or saved target sets. That creates an end-to-end mechanism for reconnaissance plus selective behavioral manipulation, which increases the blast radius and stealth of prompt-based misuse if an authorized owner or compromised owner channel is abused.

VirusTotal

65/65 vendors flagged this plugin as clean.

View on VirusTotal