ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

钉盘助手 DingTalk Cloud Storage Assistant

v1.0.0

钉盘助手 (DingTalk Cloud Storage Assistant) - 管理钉钉云盘空间、文件和文档。用当用户要求读写钉盘文件、管理团队空间、上传下载文档、操作adoc文档时触发。也适用于钉钉文件分析、报告生成、团队协作等场景。触发词:钉盘、钉钉云盘、DingTalk storage、钉钉文件、钉钉文档。

0· 7·0 current·0 all-time
byAndy Liang@andylikescodes
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
Requires OAuth token
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
high confidence
Purpose & Capability
The name, description, and all API examples align with a DingTalk cloud-storage assistant (listing spaces, reading/writing documents, upload/download flows). However, the skill ships documentation that embeds an AppKey/AppSecret and provides one AppKey in 'permission-list-share.md' — including a plaintext AppSecret in references is disproportionate for a registry-listed skill and not a normal part of a capability manifest.
!
Instruction Scope
SKILL.md gives concrete curl commands for listing, reading, writing, uploading, and downloading from api.dingtalk.com. It states a write-whitelist policy (ALLOWED_WRITE_PATHS) that the AI 'must' check before any write, but provides no programmatic enforcement (this is an instruction-only skill), so the enforcement is manual/behavioral and may be unreliable. The instructions also allow the AI to 'read any accessible space' which grants broad data-reading capability when invoked — acceptable for the feature but a potential data-exposure risk if not tightly constrained.
Install Mechanism
No install spec and no code files — instruction-only — so nothing will be written to disk during installation. This is the lowest-risk install model.
!
Credentials
The registry metadata lists no required environment variables or primary credential, but SKILL.md explicitly requires an AppKey and AppSecret to obtain access tokens. Further, references/permissions.md contains a plaintext AppSecret value (U2MnO8Z1i46InyzRuFZCKfpDuHYTwGYKp_G1hxbieJ3vy23MuGQ1rW_rK1-kSkM7). Shipping what appears to be a real AppSecret inside skill files is a major red flag: either sensitive credentials were accidentally included, or the skill is advertising an app's secret for use by anyone. The number and scope of DingTalk permissions requested (Storage.* read/write and download info) are plausible for the stated functionality but are high-privilege; principle of least privilege should be enforced.
Persistence & Privilege
always:false and user-invocable:true — no forced always-on privilege. The skill's model-invocation default allows autonomous use when invoked, which is normal. There is no evidence the skill attempts to modify other skills or system settings. However, because it permits broad read access to 'any accessible space,' users should consider when and how the skill will be invoked to limit exposure.
Scan Findings in Context
[embedded_app_secret_in_references] unexpected: references/permissions.md contains a plaintext AppSecret for an AppKey. A skill should not ship real secrets in its files — either remove/replace with clearly-marked examples or require the integrator to supply credentials via environment/config. This is inconsistent with the registry metadata which declared no required credentials.
What to consider before installing
Do not enable this skill in production until the following are resolved: (1) Confirm whether the AppKey/AppSecret included in references are real — if so, rotate/revoke immediately and do not reuse them. The skill must not ship real secrets in its files; ask the publisher to remove them or mark them as examples. (2) Require the developer to declare required credentials in the skill manifest (e.g., APP_KEY and APP_SECRET) rather than embedding them in docs. (3) Ask how the ALLOWED_WRITE_PATHS whitelist is enforced programmatically — a behavioral instruction alone is insufficient; prefer server-side or agent-enforced checks. (4) Limit granted DingTalk permissions to the minimum needed and have an admin review/approve the permission list before enabling. (5) Test the skill in an isolated environment with non-production credentials first. If you cannot get satisfactory answers from the skill author, treat it as untrusted and avoid granting it access to sensitive org data.

Like a lobster shell, security has layers — review code before you run it.

chinavk978g4hsbqxb13zf2r90nv55d984p23fcloudvk978g4hsbqxb13zf2r90nv55d984p23fdingtalkvk978g4hsbqxb13zf2r90nv55d984p23flatestvk978g4hsbqxb13zf2r90nv55d984p23fstoragevk978g4hsbqxb13zf2r90nv55d984p23f

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments