Dingtalk Api
ReviewAudited by ClawScan on May 10, 2026.
Overview
This DingTalk integration is mostly related to its stated purpose, but it needs review because it under-declares powerful DingTalk credentials, ships ambiguous bundled dependencies, and includes risky publishing/credential artifacts.
Install only if you control the DingTalk app credentials and understand the permissions granted. Before enabling it, inspect or remove the bundled virtualenv, resolve the package/version mismatches, rotate any possibly exposed credential, and require explicit confirmation for message sending, approval actions, Stream auto-replies, git pushes, or ClawHub publishing.
Findings (8)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user may install the skill without realizing it needs powerful DingTalk app credentials that can expose company user data or allow messages and workflow actions.
The skill requires DingTalk app credentials, but the supplied registry metadata declares no required environment variables and no primary credential. These credentials can govern enterprise directory access, messaging, and approval operations.
export DINGTALK_APP_KEY="<your-app-key>" export DINGTALK_APP_SECRET="<your-app-secret>"
Declare the required DingTalk credentials and expected API scopes in metadata, use a least-privilege DingTalk app, and require explicit user approval for mutations.
If invoked with sufficient DingTalk permissions, the agent could send internal messages or change approval workflow state.
The skill documents capabilities to send DingTalk messages and perform approval workflow actions. These are purpose-aligned, but they are high-impact actions in a business account.
机器人单聊消息发送 - 机器人群聊消息发送 ... - 发起、终止、执行、转交审批任务
Use least-privilege scopes and require confirmation before sending messages or performing approval actions.
Once enabled, the bot can keep operating and replying in DingTalk without a per-message manual step.
Stream mode is described as a persistent WebSocket listener that can automatically route AI-generated replies back into DingTalk.
通过WebSocket长连接接收钉钉事件... AI生成的回复直接通过钉钉API发送
Enable Stream mode only intentionally, monitor the running service, and keep start/stop controls and reply policies clear.
DingTalk conversation history or preferences may be saved locally and influence future responses.
The skill stores per-session conversation memory on disk. This is disclosed and purpose-aligned, but persistent memory can contain sensitive chat content or be reused across later replies.
记忆持久化:会话记忆保存在 `memory/` 目录下 - **自动清理**:24小时无活动的会话自动清理
Store memory in a protected directory, document retention clearly, and provide an easy way to inspect and delete saved session data.
Users may install far more executable code than expected, including platform-specific or stale dependencies.
The package includes a full Python virtual environment with hundreds of third-party files even though the registry says there is no install spec and the skill is instruction-only. This expands the reviewed code surface and makes dependency provenance less clear.
venv/dingtalk_venv/lib/python3.12/site-packages/...
Do not bundle a virtualenv; instead provide a minimal requirements file or pinned install instructions, and make dependency provenance explicit.
Users may not know which package, version, or publisher they are actually trusting.
This conflicts with the supplied registry/package identity of dingtalk-bot version 0.0.1, and other files also reference dingtalk-api. The reviewed artifact's package identity and version are ambiguous.
"slug": "dingtalk-api", "version": "1.4.0"
Align registry metadata, _meta.json, README, package.json, and package-lock.json before publication.
A real DingTalk or related secret could be leaked in the package, and users cannot tell whether it has been rotated.
A high-entropy value labeled by the surrounding script as a hardcoded credential check remains in the published artifact. It is not shown being used, but if real it is an exposed secret.
grep -r "Z79qoYdbr_y1dFWHefNKy6JO8DaYmGoyBt10ohvtHQoZhl6Xe5OPA5Vi3DeB_719" . --exclude-dir=.git
Remove the literal, rotate the associated credential if it was real, and use secret-scanning tooling that does not publish the secret value itself.
If an agent loads this file as instructions, it could perform repository and ClawHub publishing actions outside the DingTalk integration task.
This agent-facing project instruction is unrelated to the DingTalk API purpose and tells an agent to automatically modify, push, and publish code when triggered by a user request.
用户要求发布代码时,自动执行以下步骤... git add/commit/push 到 GitHub,然后 `clawhub publish` 发布到 ClawHub
Remove CLAUDE.md from the published skill or rewrite it as maintainer-only documentation that requires explicit confirmation for git and publishing commands.