Back to skill
Skillv2.0.0
ClawScan security
Dingtalk Connector Guide · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 16, 2026, 6:50 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- This is an instruction-only guide for connecting an OpenClaw agent to DingTalk; its requirements and instructions are coherent with that purpose and it does not request unexpected credentials or install actions.
- Guidance
- This file is a plaintext setup guide (no code) for connecting OpenClaw to DingTalk. Before following it: 1) verify you trust the OpenClaw binary/service that will store your AppKey/AppSecret; 2) store AppKey/AppSecret in a secure place (secrets manager or verified OpenClaw config) and avoid pasting them into untrusted UIs; 3) if you use ngrok or another tunnel, be aware traffic will be exposed through that service; 4) the contact details and paid support offers in the doc are external and unrelated to the skill—treat them like any third‑party vendor outreach. If you need a higher assurance review, ask for the exact OpenClaw client implementation or documentation that will handle your credentials.
Review Dimensions
- Purpose & Capability
- okName/description match the content: the SKILL.md is a step‑by‑step guide to create a DingTalk app and configure OpenClaw. It does not request unrelated binaries, services, or credentials.
- Instruction Scope
- noteInstructions stay within the scope of onboarding a DingTalk bot (creating app, obtaining AppKey/AppSecret, webhook URL, OpenClaw commands, optional ngrok for tunneling). It tells the user to place settings in ~/.openclaw/config.yaml and to run openclaw commands — expected for this guide. Note: it suggests using ngrok (an external tunnel) and entering secrets into OpenClaw; users should ensure they trust the OpenClaw binary/service before providing secrets.
- Install Mechanism
- okNo install spec or code is included (instruction-only), so nothing is downloaded or written by the skill itself.
- Credentials
- okThe guide does not declare or request environment variables or unrelated credentials. It appropriately expects the user to obtain DingTalk AppKey/AppSecret for the integration; these are proportionate to the described task. Users should store them securely in OpenClaw or a secrets manager.
- Persistence & Privilege
- okalways is false and there are no code files that would persist or modify other skills. The guide references editing OpenClaw's own config file (~/.openclaw/config.yaml), which is appropriate for this integration.