dws-chat

Security checks across malware telemetry and agentic risk

Overview

This is not malware, but it gives an agent DingTalk chat authority that is broader than the group-chat label clearly communicates.

Install only if you trust the DingTalk CLI source and are comfortable granting this agent access to DingTalk messages. Review the remote installer before running it, use a least-privilege DingTalk account if possible, keep the workspace token directories private, and require explicit confirmation before any send, recall, or group-membership change.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Behavioral ASTexec() Call, eval() Call, Dynamic Import
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (12)

Description-Behavior Mismatch

Medium

Confidence: 88% confidence
Finding: The file documents direct-message sending commands even though the skill metadata says this skill is specifically for DingTalk group chat. That scope expansion increases the agent's reachable actions from group operations to one-to-one messaging, creating a capability mismatch that could enable unintended outreach, privacy violations, or abuse if the agent follows the reference instead of the declared scope.

Description-Behavior Mismatch

Medium

Confidence: 86% confidence
Finding: The reference includes steps to resolve a private conversation ID and retrieve single-chat history, which exceeds the stated group-chat-only purpose of the skill. This broadens access from group records to potentially sensitive private communications, making accidental or unauthorized retrieval more likely if the agent uses the document as operational guidance.

Description-Behavior Mismatch

Medium

Confidence: 90% confidence
Finding: The document includes a command to add arbitrary users to groups, but the skill metadata only advertises querying/sending group messages, searching groups, adding bots, and fetching group history. Member-addition changes real group membership and is a materially stronger action than the declared scope, opening the door to unauthorized access, information exposure, and disruptive membership changes if invoked by the agent.

Description-Behavior Mismatch

Medium

Confidence: 93% confidence
Finding: The guide documents a direct person-to-person messaging capability ('给张三发消息') even though the skill is described as a group-chat-specific skill. This can mislead users and downstream agents into invoking undeclared or broader-scope messaging operations, increasing the chance of privacy-impacting actions or use of unintended APIs/permissions.

Description-Behavior Mismatch

Medium

Confidence: 89% confidence
Finding: The documentation states that dangerous operations such as kicking users and recalling messages are part of the skill's confirmation workflow, despite those actions not being declared in the stated capabilities. Mentioning unsupported administrative actions can cause users or orchestrators to assume the skill may perform higher-risk group-management operations, creating confusion, accidental overreach, and potential misuse if backend tooling later exposes such commands.

Description-Behavior Mismatch

Medium

Confidence: 97% confidence
Finding: This skill is described as chat-only, but the wrapper forwards arbitrary dws subcommands from sys.argv directly to the CLI without enforcing a chat-only allowlist. In the skill context, that creates a capability-expansion issue: a caller can potentially invoke unrelated dws operations, including auth, config, or other privileged commands, bypassing the skill's intended scope and increasing the chance of sensitive data access or unintended state changes.

Intent-Code Divergence

Medium

Confidence: 86% confidence
Finding: The module docstring presents this file as a generic dws runner and even gives examples for unrestricted subcommand usage, which conflicts with the manifest's chat-only intent. That mismatch is dangerous because it encourages integrators or downstream agents to treat this wrapper as a general-purpose privileged CLI bridge, making misuse and scope bypass more likely.

Missing User Warnings

Medium

Confidence: 82% confidence
Finding: Member-management commands modify live group membership, but this section lacks a prominent warning comparable to the operational risk of changing who can access group conversations. In the context of an agent skill, insufficiently emphasized warnings can lead to accidental execution of a high-impact administrative action, especially when the action is also out of scope for the declared skill.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The Windows install instructions use a remote PowerShell script piped directly into execution (`irm ... | iex`) without any integrity verification, pinning, or warning about the trust boundary. This creates a supply-chain execution path where compromise of the upstream repository, transport, or script content results in immediate arbitrary code execution on the user's machine.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The macOS/Linux instructions fetch a shell script from GitHub and immediately execute it with `sh`, again without checksum/signature verification or revision pinning. This is dangerous because any upstream compromise or malicious update to the referenced script yields arbitrary command execution during installation.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The sandbox install path still executes a remotely fetched shell script directly, so the trust problem remains even if the runtime is more isolated. In a mounted workspace or mixed host/sandbox environment, a malicious installer could tamper with workspace files, credentials, or subsequent agent behavior.

Missing User Warnings

Medium

Confidence: 84% confidence
Finding: The document explicitly describes where OAuth tokens are stored and notes that, in the sandbox flow, credentials may land in a workspace-mounted directory, but it does not warn that these tokens are sensitive secrets or that workspace exposure, backup, or sharing could leak them. In a skill centered on chat access and bot operations, unclear handling guidance increases the chance of accidental credential disclosure or cross-agent access.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal