DingTalk Channel Setup

Security checks across malware telemetry and agentic risk

Overview

This is a coherent DingTalk setup guide, but it includes a realistic-looking AppSecret example and weak secret-handling guidance, so users should review it before use.

Before installing, verify that @soimy/dingtalk is the plugin you intend to use. Treat DingTalk Client Secret/AppSecret values as sensitive: use placeholders in shared examples, keep config files private, avoid posting logs or screenshots with secrets, and rotate the shown secret if it belongs to a real DingTalk app. Consider allowlists instead of open DM/group access.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (3)

Missing User Warnings

Low

Confidence: 87% confidence
Finding: The README instructs users to set up a DingTalk integration that requires handling AppKey and AppSecret, but it does not explicitly warn that these are sensitive credentials that must be stored securely and never committed, shared, or logged. In setup documentation, omission of secret-handling guidance can lead to accidental exposure through screenshots, shell history, config files, or version control, especially for less experienced operators.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The skill includes a full configuration example containing a realistic-looking `clientSecret` value and does not warn users against copying secrets into docs, terminals, or shared config files. In a setup skill centered on credentialed integration, this normalizes unsafe secret handling and increases the chance that real secrets will be pasted into persistent configs, logs, screenshots, or version control.

Ssd 3

Medium

Confidence: 96% confidence
Finding: The documentation shows a realistic-looking client secret in an example, which can be mistaken for a usable credential or encourage users to embed real secrets directly in copied configuration blocks. Even if the example secret is fake, publishing secret-shaped values in a security-sensitive setup guide lowers operator caution and can lead to accidental disclosure of production credentials.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal