ClawHub

Dingtalk Api

AdvisoryAudited by Static analysis on May 10, 2026.

Overview

Detected: suspicious.dynamic_code_execution, suspicious.exposed_secret_literal, suspicious.insecure_tls_verification (+1 more)

Findings (41)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Concern
ASI03: Identity and Privilege Abuse
What this means

A user may install the skill without realizing it needs powerful DingTalk app credentials that can expose company user data or allow messages and workflow actions.

Why it was flagged

The skill requires DingTalk app credentials, but the supplied registry metadata declares no required environment variables and no primary credential. These credentials can govern enterprise directory access, messaging, and approval operations.

Skill content
export DINGTALK_APP_KEY="<your-app-key>"
export DINGTALK_APP_SECRET="<your-app-secret>"
Recommendation

Declare the required DingTalk credentials and expected API scopes in metadata, use a least-privilege DingTalk app, and require explicit user approval for mutations.

Note
ASI02: Tool Misuse and Exploitation
What this means

If invoked with sufficient DingTalk permissions, the agent could send internal messages or change approval workflow state.

Why it was flagged

The skill documents capabilities to send DingTalk messages and perform approval workflow actions. These are purpose-aligned, but they are high-impact actions in a business account.

Skill content
机器人单聊消息发送
- 机器人群聊消息发送
...
- 发起、终止、执行、转交审批任务
Recommendation

Use least-privilege scopes and require confirmation before sending messages or performing approval actions.

Note
ASI10: Rogue Agents
What this means

Once enabled, the bot can keep operating and replying in DingTalk without a per-message manual step.

Why it was flagged

Stream mode is described as a persistent WebSocket listener that can automatically route AI-generated replies back into DingTalk.

Skill content
通过WebSocket长连接接收钉钉事件... AI生成的回复直接通过钉钉API发送
Recommendation

Enable Stream mode only intentionally, monitor the running service, and keep start/stop controls and reply policies clear.

Note
ASI06: Memory and Context Poisoning
What this means

DingTalk conversation history or preferences may be saved locally and influence future responses.

Why it was flagged

The skill stores per-session conversation memory on disk. This is disclosed and purpose-aligned, but persistent memory can contain sensitive chat content or be reused across later replies.

Skill content
记忆持久化:会话记忆保存在 `memory/` 目录下
- **自动清理**:24小时无活动的会话自动清理
Recommendation

Store memory in a protected directory, document retention clearly, and provide an easy way to inspect and delete saved session data.

Concern
ASI04: Agentic Supply Chain Vulnerabilities
What this means

Users may install far more executable code than expected, including platform-specific or stale dependencies.

Why it was flagged

The package includes a full Python virtual environment with hundreds of third-party files even though the registry says there is no install spec and the skill is instruction-only. This expands the reviewed code surface and makes dependency provenance less clear.

Skill content
venv/dingtalk_venv/lib/python3.12/site-packages/...
Recommendation

Do not bundle a virtualenv; instead provide a minimal requirements file or pinned install instructions, and make dependency provenance explicit.

Concern
ASI04: Agentic Supply Chain Vulnerabilities
What this means

Users may not know which package, version, or publisher they are actually trusting.

Why it was flagged

This conflicts with the supplied registry/package identity of dingtalk-bot version 0.0.1, and other files also reference dingtalk-api. The reviewed artifact's package identity and version are ambiguous.

Skill content
"slug": "dingtalk-api",
  "version": "1.4.0"
Recommendation

Align registry metadata, _meta.json, README, package.json, and package-lock.json before publication.

Concern
ASI03: Identity and Privilege Abuse
What this means

A real DingTalk or related secret could be leaked in the package, and users cannot tell whether it has been rotated.

Why it was flagged

A high-entropy value labeled by the surrounding script as a hardcoded credential check remains in the published artifact. It is not shown being used, but if real it is an exposed secret.

Skill content
grep -r "Z79qoYdbr_y1dFWHefNKy6JO8DaYmGoyBt10ohvtHQoZhl6Xe5OPA5Vi3DeB_719" . --exclude-dir=.git
Recommendation

Remove the literal, rotate the associated credential if it was real, and use secret-scanning tooling that does not publish the secret value itself.

Concern
ASI02: Tool Misuse and Exploitation
What this means

If an agent loads this file as instructions, it could perform repository and ClawHub publishing actions outside the DingTalk integration task.

Why it was flagged

This agent-facing project instruction is unrelated to the DingTalk API purpose and tells an agent to automatically modify, push, and publish code when triggered by a user request.

Skill content
用户要求发布代码时,自动执行以下步骤... git add/commit/push 到 GitHub,然后 `clawhub publish` 发布到 ClawHub
Recommendation

Remove CLAUDE.md from the published skill or rewrite it as maintainer-only documentation that requires explicit confirmation for git and publishing commands.

Findings (41)

critical

suspicious.dynamic_code_execution

Location
venv/dingtalk_venv/lib/python3.12/site-packages/attr/_make.py:227
Finding
Dynamic code execution detected.
critical

suspicious.dynamic_code_execution

Location
venv/dingtalk_venv/lib/python3.12/site-packages/pip/_vendor/distlib/wheel.py:131
Finding
Dynamic code execution detected.
critical

suspicious.dynamic_code_execution

Location
venv/dingtalk_venv/lib/python3.12/site-packages/pip/_vendor/pygments/formatters/__init__.py:91
Finding
Dynamic code execution detected.
critical

suspicious.dynamic_code_execution

Location
venv/dingtalk_venv/lib/python3.12/site-packages/pip/_vendor/pyparsing/results.py:57
Finding
Dynamic code execution detected.
critical

suspicious.dynamic_code_execution

Location
venv/dingtalk_venv/lib/python3.12/site-packages/pip/_vendor/typing_extensions.py:1251
Finding
Dynamic code execution detected.
critical

suspicious.dynamic_code_execution

Location
venv/dingtalk_venv/lib/python3.12/site-packages/typing_extensions.py:1485
Finding
Dynamic code execution detected.
critical

suspicious.exposed_secret_literal

Location
venv/dingtalk_venv/lib/python3.12/site-packages/dingtalk_stream/card_replier.py:83
Finding
File appears to expose a hardcoded API secret or token.
critical

suspicious.exposed_secret_literal

Location
venv/dingtalk_venv/lib/python3.12/site-packages/dingtalk_stream/chatbot.py:533
Finding
File appears to expose a hardcoded API secret or token.
critical

suspicious.exposed_secret_literal

Location
venv/dingtalk_venv/lib/python3.12/site-packages/dingtalk_stream/stream.py:233
Finding
File appears to expose a hardcoded API secret or token.
critical

suspicious.exposed_secret_literal

Location
venv/dingtalk_venv/lib/python3.12/site-packages/pip/_internal/network/auth.py:93
Finding
File appears to expose a hardcoded API secret or token.
critical

suspicious.exposed_secret_literal

Location
venv/dingtalk_venv/lib/python3.12/site-packages/pip/_vendor/requests/adapters.py:214
Finding
File appears to expose a hardcoded API secret or token.
critical

suspicious.exposed_secret_literal

Location
venv/dingtalk_venv/lib/python3.12/site-packages/pip/_vendor/requests/sessions.py:323
Finding
File appears to expose a hardcoded API secret or token.
critical

suspicious.exposed_secret_literal

Location
venv/dingtalk_venv/lib/python3.12/site-packages/pip/_vendor/urllib3/connection.py:423
Finding
File appears to expose a hardcoded API secret or token.
critical

suspicious.exposed_secret_literal

Location
venv/dingtalk_venv/lib/python3.12/site-packages/pip/_vendor/urllib3/connectionpool.py:988
Finding
File appears to expose a hardcoded API secret or token.
critical

suspicious.exposed_secret_literal

Location
venv/dingtalk_venv/lib/python3.12/site-packages/pip/_vendor/urllib3/contrib/_securetransport/low_level.py:231
Finding
File appears to expose a hardcoded API secret or token.
critical

suspicious.exposed_secret_literal

Location
venv/dingtalk_venv/lib/python3.12/site-packages/pip/_vendor/urllib3/contrib/socks.py:102
Finding
File appears to expose a hardcoded API secret or token.
critical

suspicious.exposed_secret_literal

Location
venv/dingtalk_venv/lib/python3.12/site-packages/requests/adapters.py:257
Finding
File appears to expose a hardcoded API secret or token.
critical

suspicious.exposed_secret_literal

Location
venv/dingtalk_venv/lib/python3.12/site-packages/requests/sessions.py:322
Finding
File appears to expose a hardcoded API secret or token.
critical

suspicious.exposed_secret_literal

Location
venv/dingtalk_venv/lib/python3.12/site-packages/urllib3/connection.py:807
Finding
File appears to expose a hardcoded API secret or token.
critical

suspicious.exposed_secret_literal

Location
venv/dingtalk_venv/lib/python3.12/site-packages/urllib3/connectionpool.py:1073
Finding
File appears to expose a hardcoded API secret or token.
critical

suspicious.exposed_secret_literal

Location
venv/dingtalk_venv/lib/python3.12/site-packages/urllib3/contrib/socks.py:116
Finding
File appears to expose a hardcoded API secret or token.
critical

suspicious.exposed_secret_literal

Location
venv/dingtalk_venv/lib/python3.12/site-packages/websockets/asyncio/server.py:944
Finding
File appears to expose a hardcoded API secret or token.
critical

suspicious.exposed_secret_literal

Location
venv/dingtalk_venv/lib/python3.12/site-packages/websockets/legacy/auth.py:98
Finding
File appears to expose a hardcoded API secret or token.
critical

suspicious.exposed_secret_literal

Location
venv/dingtalk_venv/lib/python3.12/site-packages/websockets/proxy.py:93
Finding
File appears to expose a hardcoded API secret or token.
critical

suspicious.exposed_secret_literal

Location
venv/dingtalk_venv/lib/python3.12/site-packages/websockets/sync/server.py:716
Finding
File appears to expose a hardcoded API secret or token.
critical

suspicious.exposed_secret_literal

Location
venv/dingtalk_venv/lib/python3.12/site-packages/websockets/uri.py:105
Finding
File appears to expose a hardcoded API secret or token.
critical

suspicious.exposed_secret_literal

Location
venv/dingtalk_venv/lib/python3.12/site-packages/yarl/_parse.py:119
Finding
File appears to expose a hardcoded API secret or token.
critical

suspicious.exposed_secret_literal

Location
venv/dingtalk_venv/lib/python3.12/site-packages/yarl/_url.py:1084
Finding
File appears to expose a hardcoded API secret or token.
warn

suspicious.insecure_tls_verification

Location
venv/dingtalk_venv/lib/python3.12/site-packages/aiohttp/connector.py:912
Finding
HTTPS certificate verification is disabled.
warn

suspicious.insecure_tls_verification

Location
venv/dingtalk_venv/lib/python3.12/site-packages/pip/_internal/network/session.py:304
Finding
HTTPS certificate verification is disabled.
warn

suspicious.insecure_tls_verification

Location
venv/dingtalk_venv/lib/python3.12/site-packages/pip/_vendor/distlib/wheel.py:183
Finding
HTTPS certificate verification is disabled.
warn

suspicious.insecure_tls_verification

Location
venv/dingtalk_venv/lib/python3.12/site-packages/pip/_vendor/truststore/_macos.py:353
Finding
HTTPS certificate verification is disabled.
warn

suspicious.insecure_tls_verification

Location
venv/dingtalk_venv/lib/python3.12/site-packages/pip/_vendor/truststore/_windows.py:443
Finding
HTTPS certificate verification is disabled.
warn

suspicious.insecure_tls_verification

Location
venv/dingtalk_venv/lib/python3.12/site-packages/pip/_vendor/urllib3/connection.py:454
Finding
HTTPS certificate verification is disabled.
warn

suspicious.insecure_tls_verification

Location
venv/dingtalk_venv/lib/python3.12/site-packages/pip/_vendor/urllib3/contrib/pyopenssl.py:113
Finding
HTTPS certificate verification is disabled.
warn

suspicious.insecure_tls_verification

Location
venv/dingtalk_venv/lib/python3.12/site-packages/pip/_vendor/urllib3/contrib/securetransport.py:795
Finding
HTTPS certificate verification is disabled.
warn

suspicious.insecure_tls_verification

Location
venv/dingtalk_venv/lib/python3.12/site-packages/pip/_vendor/urllib3/util/ssl_.py:137
Finding
HTTPS certificate verification is disabled.
warn

suspicious.insecure_tls_verification

Location
venv/dingtalk_venv/lib/python3.12/site-packages/urllib3/connection.py:951
Finding
HTTPS certificate verification is disabled.
warn

suspicious.insecure_tls_verification

Location
venv/dingtalk_venv/lib/python3.12/site-packages/urllib3/contrib/pyopenssl.py:84
Finding
HTTPS certificate verification is disabled.
warn

suspicious.insecure_tls_verification

Location
venv/dingtalk_venv/lib/python3.12/site-packages/urllib3/util/ssl_.py:353
Finding
HTTPS certificate verification is disabled.
warn

suspicious.obfuscated_code

Location
venv/dingtalk_venv/lib/python3.12/site-packages/yarl/_parse.py:14
Finding
Potential obfuscated payload detected.