ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

DingTalk Bot

v1.0.0

DingTalk Bot integration for messaging, group management, approval workflows, and attendance. Send messages, manage groups, handle approvals, and automate no...

0· 94·0 current·0 all-time
by@jason-aka-chen

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for jason-aka-chen/dingtalk-bot-chen.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "DingTalk Bot" (jason-aka-chen/dingtalk-bot-chen) from ClawHub.
Skill page: https://clawhub.ai/jason-aka-chen/dingtalk-bot-chen
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install dingtalk-bot-chen

ClawHub CLI

Package manager switcher

npx clawhub@latest install dingtalk-bot-chen
Security Scan
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name, description, SKILL.md, and the included dingtalk_bot.py all describe DingTalk messaging, group, approval, and attendance features — this is coherent with the stated purpose. However the registry metadata lists no required environment variables while the SKILL.md and code clearly expect DINGTALK_WEBHOOK_URL, DINGTALK_SECRET, DINGTALK_APP_KEY, DINGTALK_APP_SECRET, and DINGTALK_AGENT_ID. That omission in the metadata is an incoherence worth flagging.
Instruction Scope
SKILL.md instructs the agent to set environment variables and shows only API calls to DingTalk (oapi.dingtalk.com). There are no instructions to read unrelated local files or transmit data to unexpected endpoints. The runtime instructions are generally scoped to the DingTalk integration.
Install Mechanism
No install spec or external downloads are present; the skill ships a single Python module and relies on standard libraries plus requests. This is low risk from an install/download perspective.
!
Credentials
The SKILL.md and code require sensitive credentials (webhook secret, app key/secret, agent id) which are proportional to controlling a DingTalk bot. However the package metadata declares no required environment variables or primary credential, creating a mismatch that could cause users to unknowingly provide secrets in the wrong place or miss the need to secure them. Confirm where to store these secrets in your agent before enabling the skill.
Persistence & Privilege
The skill does not request always:true and does not modify other skills or system settings. It performs network calls when invoked but has no built-in persistence or elevated platform privileges.
What to consider before installing
This skill appears to implement a DingTalk integration and calls only DingTalk APIs, but the package metadata does not list the environment variables the SKILL.md requires. Before installing: (1) review the full dingtalk_bot.py source in your environment (it contains several implementation bugs — e.g. incorrect HMAC usage and some incorrect request URLs — which could cause failures); (2) do not paste production app secrets into an agent until you confirm how the agent stores them; (3) run the code in a controlled/test account first (use a test DingTalk app/webhook); (4) ask the publisher to correct the metadata to declare required env vars and to fix the implementation errors, or prefer an official/verified integration. If you need help auditing specific functions or verifying network destinations, provide the rest of the source and I can inspect further.

Like a lobster shell, security has layers — review code before you run it.

latestvk975a5jbbratt7p39h3wjfeepd83cftd
94downloads
0stars
1versions
Updated 1mo ago
v1.0.0
MIT-0
@jason-aka-chen
latest
Download

DingTalk Bot

Complete DingTalk bot integration for AI agents.

Features

1. Messaging

  • Send text, markdown, link, and action card messages
  • Send to groups via webhook or API
  • At mentions and notifications

2. Group Management

  • Create groups
  • Add/remove members
  • Group robot management

3. Approval Workflows

  • Create approval instances
  • Query approval status
  • Approval callbacks

4. Attendance

  • Get attendance records
  • Query employee attendance
  • Vacation balance

Prerequisites

  1. Create a DingTalk Corp at https://open.dingtalk.com
  2. Create a Custom Robot in group settings
  3. Get Webhook URL and Secret (for signature verification)
  4. For advanced features, create an internal app and get AppKey/AppSecret

Configuration

Set environment variables:

# For webhook-based bots
export DINGTALK_WEBHOOK_URL="https://oapi.dingtalk.com/robot/send?access_token=xxx"
export DINGTALK_SECRET="SECxxx"

# For API-based bots
export DINGTALK_APP_KEY="ding_xxx"
export DINGTALK_APP_SECRET="xxx"
export DINGTALK_AGENT_ID="xxx"

Usage

Send Text Message (Webhook)

from dingtalk_bot import DingTalkBot

# Webhook mode
bot = DingTalkBot(webhook_url="YOUR_WEBHOOK_URL", secret="YOUR_SECRET")

# Send text
bot.send_text("Hello from bot!")

# Send with at mentions
bot.send_text("Hello @all", at_mobiles=["13800138000"])

Send Markdown Message

bot.send_markdown(
    title="Daily Report",
    text="## Sales Report\n- Today: $10,000\n- Week: $50,000"
)

Send Action Card

bot.send_action_card(
    title="Approval Request",
    text="Please approve the following request",
    buttons=[
        {"title": "Approve", "action_url": "https://.../approve"},
        {"title": "Reject", "action_url": "https://.../reject"}
    ]
)

Create Group (API Mode)

# API mode with authentication
bot = DingTalkBot(app_key="xxx", app_secret="xxx", agent_id="xxx")

group = bot.create_group(name="Project Team", owner_user_id="manager123")
print(group["open_conversation_id"])

Approval Workflow

# Create approval
approval = bot.create_approval(
    process_code="PROC-xxx",
    originator_user_id="user123",
    form_values={"title": "Leave Request", "days": 3}
)

# Get status
status = bot.get_approval_instance(approval["process_instance_id"])

Attendance Query

records = bot.get_attendance_records(
    work_date="2024-03-15",
    user_ids=["user123", "user456"]
)
print(records)

API Reference

Webhook Methods

MethodDescription
send_text(text, at_mobiles=None, at_user_ids=None)Send text message
send_markdown(title, text)Send markdown message
send_link(title, text, message_url, pic_url)Send link message
send_action_card(title, text, buttons)Send action card
send_feed_card(links)Send feed card

API Methods

MethodDescription
create_group(name, owner_user_id, user_ids)Create group
add_group_members(chat_id, user_ids)Add members
remove_group_members(chat_id, user_ids)Remove members
create_approval(process_code, originator_user_id, form_values)Create approval
get_approval_instance(process_instance_id)Get approval status
get_attendance_records(work_date, user_ids)Get attendance
get_vacation_balance(user_id)Get vacation balance

Signature Generation

For webhook security, generate signature:

import hmac
import hashlib
import base64
import time

timestamp = str(round(time.time() * 1000))
secret = "YOUR_SECRET"

string_to_sign = f'{timestamp}\n{secret}'
sign = hmac.new(string_to_sign.encode('utf-8'), digestmod=hashlib.sha256).digest()
signature = base64.b64encode(sign).decode('utf-8')

Error Handling

Common errors:

  • 400031: Invalid signature - check secret
  • 400035: Missing parameters - verify request body
  • 400036: Invalid approval process - check process_code
  • 400037: Duplicate approval - instance already exists

Links

Comments

Loading comments...