ClawHub

dingtalk-doc

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real DingTalk Docs management skill, but it can overwrite and delete documents and ships with a workspace-wide write whitelist, so it belongs in Review before installation.

Install only if you intend the agent to read and modify DingTalk Docs. Before use, replace the bundled whitelist with your own narrow workspace and document rules, avoid '/' unless every document in that workspace may be changed or deleted, and require explicit human confirmation for overwrite and delete requests. Keep DINGTALK_CLIENTSECRET protected.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)

Intent-Code Divergence

Medium
Confidence
93% confidence
Finding
The comment says only a human may edit this file, but the effective policy grants a workspace root write access via allowRootWrite=true and whitelist ["/"]. In a document-management skill, this gives the agent broad authority to modify any content in that workspace, so prompt injection, misrouting, or authorization mistakes could lead to widespread unauthorized document changes.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The manifest and metadata position this as a document summarization/reading/updating skill, but the exposed scripts include broader and riskier capabilities such as document creation, deletion, and permission-related checks. This capability mismatch can cause the agent runtime or users to invoke a skill with destructive powers under a narrower trust assumption, increasing the chance of unauthorized data modification or deletion.

Vague Triggers

Medium
Confidence
82% confidence
Finding
The description says the skill should be used whenever a message contains a DingTalk Docs link or refers broadly to reading, summarizing, viewing, updating, or when context merely implies a DingTalk document. That trigger scope is overly broad for a skill with write and delete capabilities, making accidental invocation and unintended document actions more likely.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The client exposes destructive deletion operations without any built-in confirmation, dry-run mode, or safeguard against accidental invocation. In an agentic setting, this makes prompt mistakes, ambiguous user requests, or parameter confusion more likely to cause irreversible document loss.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal