ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Dingtalk CLI SKILL

v1.0.13

Dingtalk CLI SKILL / 钉钉 dingding / dingtalk dws skill — Manage DingTalk products (AI forms, calendar, contacts, bots, todos, approvals, attendance, reports,...

0· 103·0 current·0 all-time
by花渡@cizixiu

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for cizixiu/dingtalk-cli-skill.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Dingtalk CLI SKILL" (cizixiu/dingtalk-cli-skill) from ClawHub.
Skill page: https://clawhub.ai/cizixiu/dingtalk-cli-skill
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Required env vars: DWS_CLIENT_ID, DWS_CLIENT_SECRET, DWS_CONFIG_DIR, DWS_SERVERS_URL
Required binaries: dws
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install dingtalk-cli-skill

ClawHub CLI

Package manager switcher

npx clawhub@latest install dingtalk-cli-skill
Security Scan
Capability signals
Requires OAuth token
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description match the declared requirements: it expects the dws CLI and DingTalk credentials (DWS_CLIENT_ID/SECRET), which are appropriate for a dws-based skill. However, the package includes many helper Python scripts and internal docs while registry metadata claimed 'instruction-only'—this mismatch is unexpected but could be legitimate (bundled helper scripts).
Instruction Scope
SKILL.md instructs only to use the dws CLI (auth login and various dws commands) and references the included scripts for attachments/automation. It does not instruct the agent to read unrelated system files or exfiltrate data. It does, however, instruct running a browser-based QR login (normal for OAuth device flow).
!
Install Mechanism
SKILL.md contains an install entry that downloads a dws-windows-amd64.zip from a GitHub repo (github.com/DingTalk-Real-AI/...), with a SHA256. Registry metadata claimed 'No install spec', creating an inconsistency. The URL is a GitHub release (lower risk than arbitrary server) but points to a project/repo that is not clearly official; the artifact is Windows-only (dws-windows-amd64.zip / dws.exe) while the skill has no OS restriction—this Windows-specific install + cross-platform scripts is mismatched and should be validated.
Credentials
Requested env vars (DWS_CLIENT_ID, DWS_CLIENT_SECRET, DWS_CONFIG_DIR, DWS_SERVERS_URL) are consistent with a CLI that supports headless auth and custom endpoints. They are proportional to the claimed functionality. Caution: DWS_SERVERS_URL can point the CLI to arbitrary service endpoints; providing client secret to an untrusted skill or binary from an unverified repo increases exposure.
Persistence & Privilege
Skill is not marked always:true and does not request system-wide privileged changes in its docs. It uses local CLI/auth flow and scripts stored under a skill directory—no evidence it alters other skills or global agent settings.
What to consider before installing
This skill mostly matches its stated purpose (it is a wrapper/guide for the dws DingTalk CLI), but there are red flags you should address before installing: - Verify provenance: the package owner and homepage are missing; the install URL points to a GitHub repo that may not be the official DingTalk/dingtalk project. Confirm the repo is trustworthy before downloading executables. - Confirm the binary: if you plan to use the included install URL, manually download and verify the SHA256 checksum and inspect the binary/source. Prefer to download from the official DingTalk org if available. - OS mismatch: the SKILL.md's install step provides a Windows dws.exe; ensure this fits your OS or that a proper build exists for your platform. - Protect credentials: the skill requests DWS_CLIENT_ID and DWS_CLIENT_SECRET (normal for headless auth). Only set these for a CLI/binary you trust. Avoid pasting secrets into unreviewed install scripts. - Inspect bundled scripts: the package includes multiple Python helper scripts (upload_attachment.py, calendar schedulers, etc.). Review them for network endpoints or unexpected behavior before running. - Least privilege: consider using a test DingTalk account or limited-scope app credentials when first enabling the skill. If you cannot verify the download/source or review the scripts, treat the skill as untrusted and do not provide your production client secret or point DWS_SERVERS_URL to non-official endpoints.

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

Binsdws
EnvDWS_CLIENT_ID, DWS_CLIENT_SECRET, DWS_CONFIG_DIR, DWS_SERVERS_URL
Primary envDWS_CLIENT_ID
calendarvk97ae150x3d9agkvrzrgyfdea984ks5dcizixiuvk97ae150x3d9agkvrzrgyfdea984ks5dclivk97ae150x3d9agkvrzrgyfdea984ks5ddingdingvk97ae150x3d9agkvrzrgyfdea984ks5ddingtalkvk97ae150x3d9agkvrzrgyfdea984ks5ddingtalk-clivk97ae150x3d9agkvrzrgyfdea984ks5ddingtalk-cli-skillvk97ae150x3d9agkvrzrgyfdea984ks5ddwsvk97ae150x3d9agkvrzrgyfdea984ks5dlatestvk97ae150x3d9agkvrzrgyfdea984ks5dofficialvk97ae150x3d9agkvrzrgyfdea984ks5dtodovk97ae150x3d9agkvrzrgyfdea984ks5d
103downloads
0stars
1versions
Updated 2w ago
v1.0.13
MIT-0
花渡@cizixiu
calendarcizixiuclidingdingdingtalkdingtalk-clidingtalk-cli-skilldwslatestofficialtodo
Download

DingTalk dws Skill (WorkBuddy Version)

钉钉 dws 技能(WorkBuddy 版)

Use dws CLI to manage all DingTalk product capabilities. 使用 dws CLI 管理钉钉全部产品功能。

dws CLI Path / dws CLI 路径

dws is installed at $HOME\.local\bin\dws.exe. Always use the full path or ensure $HOME\.local\bin is in your PATH. dws 安装在 $HOME\.local\bin\dws.exe。调用时使用完整路径,或确保 $HOME\.local\bin 已加入 PATH 环境变量。

Authentication / 认证

First-time users must authenticate: / 首次使用需认证:

& "$HOME\.local\bin\dws.exe" auth login

This opens a browser for QR code login. Credentials persist for 30 days. 此命令会打开浏览器,引导扫码登录钉钉。凭证有效期 30 天。

Re-authenticate when expired: / 凭证过期后重新认证:

& "$HOME\.local\bin\dws.exe" auth login

Common Commands / 常用命令

| Scenario 场景 | Command 命令 | :|----------|---------| | List todos / 查看待办 | dws todo task list | | Create todo / 创建待办 | dws todo task create --title "Report" --deadline 2026-04-15 | | List calendar / 查看日历 | dws calendar event list | | Send group message / 发群消息 | dws chat bot send-by-group --group-id <ID> --content "Message" | | List reports / 查看日报周报 | dws report inbox list | | Search contact / 搜索联系人 | dws contact user search --keyword "Name" | | List AI tables / 查看 AI 表格 | dws aitable base list |

See the references/ directory for full documentation on all 12 DingTalk products. 查看 references/ 目录获取全部 12 个钉钉产品的详细文档。

Comments

Loading comments...