Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Dingtalk Api
v0.0.1调用钉钉开放平台API,支持用户搜索/详情/查询、部门管理(搜索/详情/子部门/用户列表/父部门)、机器人单聊消息发送、群聊消息发送、群内机器人列表查询、Stream模式事件推送、多会话隔离管理等核心功能。Use when needing to search DingTalk users or departmen...
⭐ 2· 11.7k·1 current·2 all-time
byZao_hon@zaohon
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill's name, README and SKILL.md describe a DingTalk API integration and the included scripts implement that functionality (user/department management, messaging, Stream mode). However the registry metadata claims no required environment variables or primary credential while SKILL.md and many scripts explicitly require DINGTALK_APP_KEY and DINGTALK_APP_SECRET. Other metadata mismatches exist: package.json name/version differ from _meta.json and the registry listing (slug/ownerId/version). Those discrepancies indicate the published metadata does not accurately describe the package.
Instruction Scope
SKILL.md and the scripts are explicit about what to run (ts-node scripts/*.ts, Python virtualenv and pip install dingtalk-stream, start/stop scripts). The runtime instructions only reference expected resources (env vars, memory directory, network access to oapi.dingtalk.com, and a public HTTPS endpoint for Stream). They do not demand unrelated system files. However a prompt-injection detection (unicode-control-chars) was raised in SKILL.md which could indicate attempts to manipulate automated evaluators or an encoding anomaly—this should be inspected.
Install Mechanism
The package declares 'No install spec' (instruction-only) in the registry metadata but actually contains hundreds of source files and a full Python virtualenv (venv/) with many vendored packages. Bundling a prebuilt venv and numerous third‑party packages inflates attack surface and is unusual/unnecessary for an instruction-only skill. The repo also contains packaging/publish helper scripts that assume local filesystem operations. There are no remote download URLs in the provided manifest, but the presence of vendored binaries and site-packages is disproportionate and should be inspected or removed.
Credentials
The runtime code consistently requires DINGTALK_APP_KEY and DINGTALK_APP_SECRET (appropriate and proportional for calling DingTalk APIs). The problem is the registry-level 'Required env vars: none' contradicts the actual needs; that mismatch is concerning because an installer or automation might not prompt the user for these secrets. Apart from the expected DingTalk credentials, the code does not appear to require unrelated secrets.
Persistence & Privilege
always:false (good). The skill contains code that can send messages via DingTalk robots and run a long-lived Stream bridge (WebSocket/HTTP server). If the agent platform allows autonomous invocation, this capability increases blast radius (the skill could be used to send messages or perform operations in your DingTalk org). That by itself is expected for a messaging integration, but because of the metadata and packaging inconsistencies you should be cautious about granting autonomous invocation without explicit trust controls.
Scan Findings in Context
[unicode-control-chars] unexpected: The prompt-injection detector found unicode control characters in SKILL.md. This is not expected for a normal documentation file and may be an attempt to influence automated evaluators or could be an encoding artifact; review SKILL.md for hidden characters.
What to consider before installing
What to check before installing or running this skill:
1) Metadata mismatches: The registry listing claims no required env vars, but SKILL.md and scripts require DINGTALK_APP_KEY and DINGTALK_APP_SECRET. Owner/slug/version values also differ between files. Ask the publisher to explain and correct these mismatches. Do not rely solely on the registry metadata.
2) Inspect the package contents locally: this bundle includes a full Python virtualenv (venv/) and many vendored packages. Large vendored artifacts increase risk—consider obtaining a clean source-only release (no venv) or rebuilding dependencies from official registries yourself.
3) SKILL.md prompt-injection signal: open SKILL.md in a hex-aware editor and search for non-printable/unicode-control characters. Remove or ask the author about any suspicious hidden characters.
4) Least privilege for credentials: Only provide the DingTalk AppKey/AppSecret to a package you trust. Prefer creating a dedicated enterprise internal application with minimal permissions and rotate credentials after testing. Never paste long-lived enterprise credentials into remote UIs or public places.
5) Sandbox test: Run the scripts in an isolated environment (VM/container) and with a test DingTalk application (not production org). Verify network endpoints contacted are only DingTalk's oapi.dingtalk.com or other documented endpoints.
6) Limit autonomous actions: If possible, disable automatic skill invocation until you have validated behavior. Because the skill can send robot messages and run a Stream bridge, unrestricted autonomous access could cause unwanted messages or actions in your org.
7) Source provenance: The package references 'clawhub' publishing scripts and a GitHub clone URL in README; prefer to install from an official, trusted repository (e.g., the publisher's verified GitHub or a vetted registry) and confirm the publisher identity matches the registry owner.
If you cannot validate the provenance and clean up the bundled environment (remove venv, fix metadata, remove hidden characters), treat this package as untrusted and do not provide real production credentials.Like a lobster shell, security has layers — review code before you run it.
latestvk976j33b3veztyw3jkyv5v3ypn81x3kj
License
MIT-0
Free to use, modify, and redistribute. No attribution required.