ClawHub

dingtalk-doc-enterprise

Security checks across malware telemetry and agentic risk

Overview

This DingTalk document skill is mostly coherent, but it can make live enterprise document changes and includes an under-disclosed insert command.

Review before installing. Use a least-privilege DingTalk app, protect DINGTALK_CLIENTSECRET, avoid shared privileged DINGTALK_OPERATOR_ID in multi-user deployments, and require human confirmation of the exact document/block before update, delete, append, or insert operations.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (5)

Tp4

High
Category
MCP Tool Poisoning
Confidence
89% confidence
Finding
The documented behavior says the skill supports only read/blocks/update/append-text/delete and not create, but the analyzed behavior indicates an additional insert capability and undisclosed calls to OAuth/token and user-info endpoints. This mismatch is dangerous because users and reviewers may grant trust based on incomplete documentation, leading to unexpected document modification paths or identity-resolution/network behavior they did not knowingly approve.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The skill metadata says it supports read/blocks/update/append-text/delete and explicitly does not support create, but the code also exposes an insert command that writes new content into documents. This mismatch expands the tool’s effective privileges beyond what callers and reviewers would reasonably expect, increasing the risk of unintended or unauthorized document modification through hidden capability.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The skill is configured to auto-trigger on the mere presence of a DingTalk document link, which can cause unintended document reads or follow-on actions when a user only shares or references a URL. In agent environments, broad trigger conditions increase the chance of accidental invocation, context confusion, and unauthorized processing of sensitive enterprise document content.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The README documents overwrite and delete operations without prominent warnings or guardrails, which can normalize destructive actions and lead to accidental data loss in enterprise documents. In a multi-user document environment, ambiguous or casually phrased modification commands may cause irreversible changes if the agent executes them without explicit confirmation.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
Delete and overwrite-style operations execute immediately with no confirmation, dry-run, or safeguard despite being destructive document mutations. In an agent setting, this makes prompt misunderstandings, malicious prompt injection, or operator mistakes much more likely to cause irreversible data loss or tampering.

VirusTotal

61/61 vendors flagged this skill as clean.

View on VirusTotal