Security audit

钉钉 OA 审批工具

Security checks across malware telemetry and agentic risk

Overview

This appears to be a genuine DingTalk approval helper, but it can approve or reject live workplace workflows in one step without a built-in confirmation check.

Install only if you intentionally want an agent to read and act on real DingTalk approval tasks. Use a dedicated least-privilege DingTalk app, protect the appSecret, avoid shared or admin user IDs, and require the assistant to show the exact task details and get explicit confirmation before every approve or reject action.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (7)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 89% confidence
Finding: The skill clearly describes use of external DingTalk APIs and requires network access plus sensitive credentials, yet no explicit permissions are declared. This creates a transparency and governance gap: operators and users may not understand that the skill can reach external services and act on business approval data.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The README advertises that the skill can execute approval and rejection actions but does not clearly warn that these are real workflow decisions affecting business processes. In an enterprise approval context, users may treat the skill as informational and trigger consequential actions without understanding that the plugin can submit irreversible or hard-to-reverse approvals on their behalf.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The example shows the assistant approving a request directly from a conversational command without any caution, confirmation, or notice that this is a live approval action. That interaction pattern can normalize one-shot execution of sensitive business decisions, increasing the risk of accidental approvals, social engineering, or misunderstood intent.

Vague Triggers

Medium

Confidence: 83% confidence
Finding: The trigger conditions are broad natural-language phrases such as references to approvals, pending tasks, or work notifications, which could cause the skill to activate in ambiguous contexts. In a skill that can query sensitive approval data and perform approve/reject actions, misrouting user intent can expose data or lead to unintended operational steps.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The documentation instructs direct execution of approval actions such as AGREE or REFUSE without requiring an explicit confirmation step or strong warning for irreversible business effects. Because these actions modify enterprise workflow state, an accidental, ambiguous, or socially engineered request could cause unauthorized approval/rejection of HR, finance, or contract items.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The skill performs an irreversible approval action immediately once called, with no built-in confirmation, re-authentication, or anti-misfire safeguard. In an agent environment, a mistaken prompt interpretation or tool invocation could approve or reject a real business workflow item, causing unauthorized business actions and audit issues.

Missing User Warnings

Medium

Confidence: 84% confidence
Finding: The document describes an approval-execution API that can perform state-changing actions such as agree/refuse, but it does not warn that these operations are destructive, require explicit user confirmation, and may have business or HR consequences. In an agent skill context, omission of such guardrails increases the risk that an automation or LLM-driven workflow triggers unintended approvals or rejections.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.