Skillv1.0.0

ClawScan security

dingtalk-openclaw · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 12, 2026, 5:38 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's described purpose (DingTalk <> OpenClaw connector) matches the instructions, but there are notable mismatches and insecure practices around credentials and file handling that the package metadata does not declare.
Guidance: This skill implements a legitimate DingTalk → OpenClaw chat bridge, but the metadata fails to declare required credentials and the instructions encourage storing secrets in plaintext and writing to a hardcoded user path. Before installing or running it: (1) obtain and store APP_KEY/APP_SECRET, WEBHOOK_URL, and OPENCLAW_TOKEN securely (prefer environment variables or a secrets manager rather than config.py); (2) avoid hardcoded paths — change PROCESSED_FILE to a directory you control and ensure file permissions restrict access; (3) verify the dingtalk-stream package source (PyPI project page) to ensure it's legitimate; (4) ensure the DingTalk webhook is restricted (use signature/secret if available) and that OpenClaw runs on a trusted host (127.0.0.1 is safer than a public endpoint); (5) because the skill metadata omits required secrets and has no source/homepage, exercise extra caution — ask the publisher for source code or a repository and for declared required env vars before trusting this skill. If you cannot verify the package origin or publisher, treat the skill as untrusted.

Review Dimensions

Purpose & Capability: noteThe skill is a DingTalk Stream → OpenClaw connector and the code and instructions implement that. Required secrets (DingTalk APP_KEY/APP_SECRET, OpenClaw token, DingTalk webhook) are consistent with the stated purpose — but the skill metadata claims 'no required env vars' and provides no primary credential, which is inconsistent with the runtime instructions that require multiple credentials.
Instruction Scope: concernSKILL.md gives precise runtime code that reads/writes local files, registers a callback handler, posts requests to an internal OpenClaw HTTP API and to an external DingTalk webhook. It also instructs creating a plaintext config.py containing secrets and writes a processed-message file to a hardcoded user path. The instructions grant the skill broad discretion to send chat content externally (to OpenClaw) and to store identifiers locally — this is expected for the connector but the plaintext credential handling and hardcoded paths are insecure and not declared in metadata.
Install Mechanism: okInstruction-only skill with no install spec or downloadable code; runtime requires pip packages (dingtalk-stream, requests). No installers or external archives are fetched by the skill itself, minimizing install-time risk.
Credentials: concernThe code requires several secrets (APP_KEY, APP_SECRET, WEBHOOK_URL, OPENCLAW_TOKEN) but the registry metadata lists none. Requiring multiple tokens is proportionate to the purpose, but not declaring them is a transparency problem. Additionally, the guidance tells users to store these secrets in a plaintext config.py, which is insecure. The skill also writes to a hardcoded path (C:/Users/.../.openclaw/...), which implies filesystem access that should be disclosed.
Persistence & Privilege: noteThe skill is not always-enabled and does not request elevated platform privileges. It does persist state by appending processed message IDs to a local file and instructs editing the user's OpenClaw gateway config; those are reasonable for a long-running bot but should be called out. Autonomous invocation (default) is allowed — expected for connector skills.