钉钉 AI 表格跨表格洞察分析

Security checks across malware telemetry and agentic risk

Overview

This skill has a legitimate table-analysis purpose, but it handles sensitive business table data with unsafe shell command construction and contradictory privacy claims about local-only processing.

Install only after reviewing or fixing the shell command construction. Use a least-privilege DingTalk token, prefer keyword-scoped runs, avoid full scans on sensitive workspaces, and use --no-llm unless you are comfortable sending sampled table contents to the configured OpenClaw model or agent context. Treat generated reports, logs, and cache metadata as sensitive because they may aggregate information from multiple business tables.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Behavioral ASTexec() Call, eval() Call, Dynamic Import
Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain

Findings (31)

subprocess module call

Medium

Category: Dangerous Code Execution
Content: f'limit={page_limit} > "{tmp_file}" 2>&1') # 执行命令 subprocess.run(cmd, shell=True, timeout=30) # 读取并解析 JSON with open(tmp_file, 'r', encoding='utf-8') as f:
Confidence: 97% confidence
Finding: subprocess.run(cmd, shell=True, timeout=30)

subprocess module call

Medium

Category: Dangerous Code Execution
Content: try: # 执行命令，输出重定向到临时文件 cmd_redirect = f'{cmd} > "{tmp_file}" 2>&1' result = subprocess.run(cmd_redirect, shell=True, timeout=30) # 读取文件内容 with open(tmp_file, 'r', encoding='utf-8') as f:
Confidence: 98% confidence
Finding: result = subprocess.run(cmd_redirect, shell=True, timeout=30)

Tainted flow: 'cmd' from os.getenv (line 422, credential/environment) → subprocess.run (code execution)

Medium

Category: Data Flow
Content: f'limit={page_limit} > "{tmp_file}" 2>&1') # 执行命令 subprocess.run(cmd, shell=True, timeout=30) # 读取并解析 JSON with open(tmp_file, 'r', encoding='utf-8') as f:
Confidence: 96% confidence
Finding: subprocess.run(cmd, shell=True, timeout=30)

Tainted flow: 'cmd_redirect' from os.getenv (line 224, credential/environment) → subprocess.run (code execution)

Medium

Category: Data Flow
Content: try: # 执行命令，输出重定向到临时文件 cmd_redirect = f'{cmd} > "{tmp_file}" 2>&1' result = subprocess.run(cmd_redirect, shell=True, timeout=30) # 读取文件内容 with open(tmp_file, 'r', encoding='utf-8') as f:
Confidence: 96% confidence
Finding: result = subprocess.run(cmd_redirect, shell=True, timeout=30)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 88% confidence
Finding: The skill exposes meaningful capabilities (environment access, file read/write, and shell execution) but does not declare permissions explicitly. This weakens user and platform visibility into what the skill can do, making it easier for a user to invoke a tool with broader access than expected and increasing the blast radius if the script is modified or compromised.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 95% confidence
Finding: The documented purpose understates several sensitive behaviors: default external LLM invocation, local caching/logging, and the ability to scan all accessible tables without a keyword. This creates a consent and transparency failure where users may expose broad business data to external processing or persistent local storage without realizing it.

Intent-Code Divergence

Medium

Confidence: 97% confidence
Finding: The security section states that all analysis is local and that no results are uploaded, but earlier sections say the default path uses an OpenClaw agent for LLM analysis. That contradiction can mislead users into sharing sensitive table data under a false privacy assurance, especially in enterprise data contexts.

Intent-Code Divergence

Low

Confidence: 77% confidence
Finding: The examples document a no-keyword mode that scans all accessible AI tables, which broadens the skill from targeted keyword-based analysis to bulk discovery and review. In a business environment, this increases the chance of processing unrelated sensitive datasets and exposing insights from tables the user did not explicitly intend to analyze.

Intent-Code Divergence

Medium

Confidence: 93% confidence
Finding: The document presents contradictory handling of sensitive fields: earlier sections say detailed fields like UID and timestamps are removed, while the security section says those same fields are retained. This can cause implementers and users to misunderstand what data is actually exposed to the model, leading to unintended disclosure of personal or enterprise-sensitive information.

Intent-Code Divergence

High

Confidence: 97% confidence
Finding: The file claims analysis is 'local' and 'not transmitted', but elsewhere it describes sending prompts and data to OpenClaw sessions/CLI for LLM processing. This is a materially misleading security statement that can result in confidential table data being transmitted off-host or to another service without informed consent or proper controls.

Description-Behavior Mismatch

High

Confidence: 99% confidence
Finding: The file claims '每表最多 50 条记录' and local-only analysis, but the implementation can read all records from every sheet before sampling and later send summaries to another agent. This mismatch is security-relevant because users may consent under false assumptions about data minimization, causing unintended overcollection and exposure of potentially sensitive business data.

Description-Behavior Mismatch

High

Confidence: 98% confidence
Finding: The documentation says data is not uploaded to external services, yet `analyze_with_llm` forwards table-derived content to `openclaw agent`. Even if `openclaw` is an internal component, this contradicts the stated trust boundary and can expose business records to another service/process without informed user approval.

Intent-Code Divergence

Medium

Confidence: 92% confidence
Finding: The report text claims only the first 100 records per sheet are read, but the implementation may fetch all records and then randomly sample. This is a meaningful data-minimization and transparency failure: operators may believe the tool accesses far less data than it actually does, increasing privacy and confidentiality exposure.

Context-Inappropriate Capability

Medium

Confidence: 83% confidence
Finding: The skill advertises table insight analysis, but silently delegates the data to an external OpenClaw agent subprocess, expanding the trust boundary beyond what users may reasonably expect. In a business-data context, undisclosed external processing materially changes the privacy and security posture because enterprise records are being handed to another agent for analysis.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The changelog states that LLM-based analysis is enabled by default and that table data samples are sent for analysis, but it does not mention any user-facing consent, privacy notice, data classification guardrails, or restrictions on sensitive content. In a skill that analyzes business tables across multiple datasets, this can expose confidential operational, HR, or project data to an external or centralized model processing path without users clearly understanding that transmission is occurring.

Missing User Warnings

Medium

Confidence: 98% confidence
Finding: This section explicitly describes sending detailed table distributions, actual record samples, and key fields such as titles, priorities, statuses, and assignees to the LLM, yet provides no accompanying privacy or data-handling warning. Because the skill is intended for cross-table business insight analysis, those samples may contain sensitive internal business or personnel information, making silent default transmission a meaningful confidentiality risk.

Vague Triggers

Medium

Confidence: 93% confidence
Finding: The README presents very broad natural-language invocation examples such as analyzing sales, recruitment, or even scanning all tables. In agent ecosystems that rely on semantic matching, these generic phrases can overlap with ordinary user conversation and cause accidental skill activation against sensitive business data, especially because this skill performs cross-table analysis over DingTalk AI tables.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The document emphasizes that LLM analysis is enabled by default but does not provide a prominent user-facing warning that table data may be sent to a model service. In a cross-table business analytics skill, that omission materially increases the risk of inadvertent disclosure of sensitive operational or financial data.

Missing User Warnings

High

Confidence: 98% confidence
Finding: The security section makes inaccurate privacy claims while omitting disclosure of external model processing. Because this skill analyzes potentially sensitive enterprise tables across projects or departments, misleading privacy language substantially increases the likelihood of unauthorized or unexpected data disclosure.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The documentation explicitly instructs users to run `echo $DINGTALK_MCP_TOKEN`, which prints a live credential to the terminal and potentially into shell history, logs, screen recordings, or shared terminal sessions. While intended as a troubleshooting step, exposing authentication tokens in plaintext increases the risk of credential theft and unauthorized access to DingTalk AI table data.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The documentation encourages broad scanning of all accessible tables and generation of consolidated reports without warning that the output may contain sensitive commercial, project, or HR data. Even when access is technically permitted, aggregating findings across sources can create a higher-sensitivity artifact that is easier to disclose or misuse than the original records.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The examples describe scheduled report generation to files and writing analysis results into documents or AI tables, but do not warn that these outputs may persist sensitive business or personnel data in additional storage locations. Persistent copies increase the attack surface, retention period, and likelihood of unauthorized access through misconfigured permissions or oversharing.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The workflow explicitly sends enterprise table summaries to an LLM and indicates that titles, status-like fields, and example records are included, yet there is no clear user-facing warning about privacy implications or data-sharing boundaries. In a business-table analysis skill, this raises real confidentiality risk because examples and metadata can still contain sensitive project, personnel, or operational information.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The 'data safety' section states that UIDs, timestamps, and title/content are retained while failing to clearly warn users that personally identifiable and business-sensitive data may be exposed during model analysis. Because this skill is specifically designed to aggregate and analyze multiple enterprise tables, the context increases the sensitivity of even sampled records.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The quickstart explicitly encourages full-table scanning and saving generated insights to local files, but provides no warning that the scanned tables may contain sensitive business, personnel, financial, or customer data and that the output may reproduce or infer sensitive content. In this skill's context, cross-table analysis increases risk because aggregation and derived summaries can expose confidential relationships, anomalies, or identifiers even when raw records are only sampled.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal