Dingtalk Bot Publish

What to check before installing or running this skill: 1) Credentials: SKILL.md (and scripts) require DINGTALK_APP_KEY and DINGTALK_APP_SECRET. The registry metadata does NOT declare these—don't run the skill until you set these in a secure vault or environment and understand where they will be used. 2) Dependencies: package.json only lists axios and ws, but the TypeScript scripts import @alicloud/dingtalk, @alicloud/openapi-client, @alicloud/tea-util, etc. Verify and install the missing SDK packages before running. This mismatch is likely an oversight but will break execution. 3) Script names and Stream setup: SKILL.md references a start script name and pip package names that don't exactly match included filenames. Inspect scripts/start-stream.sh, stream-bridge.py, and any start/stop shells to confirm what will execute, and run them in an isolated environment first (container or VM). 4) Network reachability & endpoints: Code calls oapi.dingtalk.com (expected). Confirm your environment permits outbound HTTPS to DingTalk and that you are comfortable granting the AppKey/AppSecret the requested DingTalk scopes. 5) Secrets handling & logs: Scripts print debug info and may log full API responses to stderr when --debug is used. Avoid running with debug enabled in production and ensure logs do not leak secrets. 6) Data persistence: Session memory is stored under a memory/ directory by default. If this contains sensitive conversation history, secure or relocate it and review retention/cleanup behavior. 7) Minimal privilege: When creating the DingTalk app, grant only the minimal scopes needed. Test in a non-production tenant first. 8) If you want higher confidence: ask the author for a corrected package.json and updated registry metadata declaring required env vars; run the code in an isolated environment and perform a dependency audit (npm list / npm audit) before granting credentials.