Keplerjai Dingtalk Attendance
v1.0.0从钉钉开放平台获取员工考勤数据,并保存到本地或推送到指定渠道。
⭐ 0· 32·1 current·1 all-time
by任佶@renjicode
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The code (index.js, export_excel.py, summary.py) implements a DingTalk attendance fetcher and exporter which is coherent with the skill description. However the registry metadata claims 'Required env vars: none' and 'instruction-only', which is false: the code requires DINGTALK_APP_KEY / DINGTALK_APP_SECRET (and optionally agent/app IDs) and ships Node/Python code—metadata under-declares required credentials and files.
Instruction Scope
SKILL.md instructs the agent to read a .env in the skill directory and not to ask users to paste keys in chat. The code does read .env but also falls back to config.json (index.js loads fileConfig) despite SKILL.md saying '不依赖 config.json'. The runtime actions are limited to calling DingTalk APIs and writing local JSON/Excel files (expected), but the Python exporter will auto-install openpyxl if missing, which causes network activity and package installation at runtime beyond what's documented in SKILL.md.
Install Mechanism
No install spec is declared in the registry (instruction-only), yet the bundle contains package.json/package-lock and Python scripts. SKILL.md's npm install instruction is incomplete (it asks to install axios and moment but omits dotenv which index.js requires). export_excel.py runs os.system('pip install openpyxl -q') if openpyxl is missing — an automatic runtime pip install from PyPI. These inconsistencies and the implicit network installs raise moderate risk.
Credentials
The skill needs DingTalk credentials (AppKey/AppSecret, agentId/appId) to function, but the registry metadata lists no required env vars or primary credential. That mismatch is significant: the skill will require secrets to operate but the manifest does not declare them. No other unrelated credentials are requested.
Persistence & Privilege
The skill does not request elevated platform privileges or always:true. It writes output files under its own data/ directories and does not appear to modify other skills or global configuration. Autonomous invocation is enabled by default but not combined with other high-risk factors here.
What to consider before installing
What to consider before installing/running:
- This skill does require DingTalk credentials (DINGTALK_APP_KEY and DINGTALK_APP_SECRET, plus optional agent/app IDs) even though the registry metadata lists none — do not paste secrets into chat; store them only in the .env in the skill directory as instructed.
- The repo includes Node and Python code. Review index.js, export_excel.py and any config.json before running. index.js will call DingTalk APIs and save data locally under data/attendance and data/excel.
- The Python exporter will automatically attempt to pip-install openpyxl at runtime if not present (export_excel.py uses os.system('pip install openpyxl -q')). That causes network access and package installation — if you prefer control, pre-install dependencies yourself (pip install -r requirements.txt and npm install) and remove/disable the auto-install line.
- SKILL.md and README are inconsistent: SKILL.md's npm install step omits dotenv (which index.js requires), and SKILL.md says it won't use config.json but index.js will read config.json as a fallback. Treat those as documentation bugs and verify actual behavior locally.
- Run initially in an isolated environment (VM, container, or isolated project), as the code will perform network calls to oapi.dingtalk.com and may install packages from registries.
- Verify that the application will only be given minimal DingTalk permissions required for the task and that the hosting environment has least privilege (don't run as root). Consider rotating credentials after initial tests.
- If you need higher assurance: audit package-lock.json / package.json for dependencies, run 'npm audit' and 'pip audit' (or equivalent), and consider removing the auto-install behavior or pinning dependency versions before production use.
Overall: the functionality matches the stated purpose, but the manifest/instructions inconsistencies and the runtime auto-install behavior make this suspicious rather than clearly benign. Inspect and run it in an isolated/test environment and address the documentation and install issues before trusting it with production credentials.index.js:335
Shell command execution detected (child_process).
index.js:39
Environment variable access combined with network send.
index.js:29
File read combined with network send (possible exfiltration).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.Like a lobster shell, security has layers — review code before you run it.
latest
钉钉考勤数据获取技能
功能描述
定时从钉钉开放平台获取员工考勤数据,并保存到本地或推送到指定渠道。
配置步骤
1. 钉钉开放平台配置
- 访问 https://open.dingtalk.com
- 创建企业内部应用
- 获取 AppKey 和 AppSecret
- 添加应用权限:
- 考勤管理权限
- 通讯录权限(获取员工信息)
- 企业管理员审批授权
2. 本地配置
复制 .env.example 为 .env 并填写:
DINGTALK_APP_KEY=你的 AppKey
DINGTALK_APP_SECRET=你的 AppSecret
DINGTALK_AGENT_ID=应用的 agentId
OUTPUT_DIR=./data/attendance
OUTPUT_FORMAT=json
执行规则:
- 仅使用技能目录下的
.env读取凭证与输出配置。 - 不依赖
config.json。 - 若
.env已存在且字段完整,直接执行,不要重复要求用户在对话中提供凭证。
建议先做本地自检:
- 确认
.env文件在本技能根目录,与index.js同级。 - 确认包含
DINGTALK_APP_KEY和DINGTALK_APP_SECRET。 - 确认从本技能目录执行
node index.js(避免在其他目录启动导致找错文件)。
Windows PowerShell 示例:
Copy-Item .env.example .env
node index.js
macOS/Linux 示例:
cp .env.example .env
node index.js
3. 安装依赖
npm install axios moment
使用方法
手动运行
cd keplerjai-dingtalk-attendance
node index.js
定时任务(推荐)
在 OpenClaw 中配置 cron 任务,每天自动获取前一天的考勤数据。
输出数据
- 打卡记录(JSON/CSV)
- 考勤日报/月报
- 异常考勤提醒
注意事项
- API 调用有频率限制,建议定时获取而非实时
- 需要企业管理员授权
- 敏感数据请妥善保管
Agent 执行约定
- 先读取本技能目录下的
.env再执行任务。 - 若缺少必要字段,仅提示“本地
.env缺少必填项”,不要要求用户在聊天中粘贴密钥。 - 默认返回考勤结果与输出文件位置,不回显任何密钥值。
Comments
Loading comments...