Dingtalk Bot Publish

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real DingTalk integration, but it needs review because it includes broad auto-publishing instructions and handles sensitive company data with weak logging/token safeguards.

Review before installing. Use a least-privilege DingTalk app, avoid --debug in shared logs, treat message-sending commands as real outbound actions, and remove or override the CLAUDE.md auto-publish instructions unless you explicitly want this skill to influence release workflows.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (8)

Tp4

High

Category: MCP Tool Poisoning
Confidence: 88% confidence
Finding: The documented scope does not fully disclose that the skill can retrieve employee counts and user approval/todo statistics, which are organizationally sensitive data points. This mismatch can lead reviewers or users to grant or invoke the skill under incomplete assumptions, increasing the risk of unintended data exposure or over-privileged deployment.

Vague Triggers

Medium

Confidence: 94% confidence
Finding: The file instructs the agent to automatically execute a full release pipeline whenever a user asks to 'publish code', including editing files, committing, pushing to GitHub, and invoking an external publishing command. Because the trigger phrase is broad and ambiguous, a user request that merely discusses publishing or asks for help preparing a release could cause unintended high-impact actions, especially since the skill operates in a code/release context where those actions are powerful and externally visible.

Missing User Warnings

Medium

Confidence: 86% confidence
Finding: The README advertises high-impact operations over sensitive enterprise data, including employee lookup, department enumeration, resigned-user records, approval workflows, and robot message sending, but gives no privacy, authorization, or change-management warnings. In an agent context, this increases the risk that users invoke data access or state-changing actions without understanding organizational sensitivity or operational consequences.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: Documenting a debug mode that shows full API responses without warning is risky because DingTalk responses can contain PII, org structure details, approval contents, identifiers, and operational metadata. In shared terminals, logs, CI output, or agent traces, this can lead to inadvertent disclosure of sensitive enterprise information.

Missing User Warnings

Medium

Confidence: 86% confidence
Finding: The --debug path prints the full DingTalk API response to stderr, which can contain personal user data beyond the intended output. In CLI and agent environments, stderr is often captured into logs, job histories, or observability systems, turning a temporary troubleshooting feature into persistent data exposure without an explicit warning or redaction.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: When --debug is enabled, the script prints the full API response, which may include personal employee data such as mobile numbers, email addresses, avatars, job numbers, and titles. In real environments, debug output is often captured by terminals, CI logs, shell history tooling, or centralized log collectors, creating an unnecessary PII exposure path beyond the intended API consumer.

Known Vulnerable Dependency: axios==1.13.5 — 10 advisory(ies): CVE-2025-62718 (Axios has a NO_PROXY Hostname Normalization Bypass that Leads to SSRF); CVE-2026-42044 (Axios: Invisible JSON Response Tampering via Prototype Pollution Gadget in `pars); CVE-2026-42037 (Axios: CRLF Injection in multipart/form-data body via unsanitized blob.type in f) +7 more

High

Category: Supply Chain
Confidence: 98% confidence
Finding: axios==1.13.5

Known Vulnerable Dependency: ws==8.19.0 — 1 advisory(ies): CVE-2026-45736 (ws: Uninitialized memory disclosure)

Low

Category: Supply Chain
Confidence: 92% confidence
Finding: ws==8.19.0

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal