给钉钉的联系人或者群发送信息
WarnAudited by ClawScan on May 10, 2026.
Overview
This skill has a clear DingTalk automation purpose, but it can immediately send messages from your logged-in account via global keyboard automation and includes under-documented recipient and queue-file behavior.
Install only if you trust this skill to send DingTalk messages as you. Test with a harmless contact first, verify the exact recipient and message before every run, check that no test_config.json is present, and clear any send_queue.json files after interrupted batches.
Findings (7)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An agent or script invocation can send DingTalk messages as the logged-in user, and wrong focus/window state could send text somewhere unintended.
The tool sends through global GUI automation and presses Enter to send, while the handler directly calls the send routine with no shown confirmation or preview gate.
pyautogui.FAILSAFE = False ... pyautogui.press('enter') ... success, err = send_message_to_contact(contact, message)Require explicit user confirmation with final recipient and message before each send, keep PyAutoGUI fail-safe enabled, verify the active DingTalk chat before pressing Enter, and limit batch size.
Messages sent by this skill will appear to come from the user's DingTalk account.
The skill relies on the user's already logged-in DingTalk desktop session, so actions are performed with that account's identity.
钉钉 PC 客户端需要已安装并登录
Use it only on the intended DingTalk account and review every recipient/message before allowing the automation to run.
Users and recipients may believe messages will be marked as automated when the shown implementation may send them without that disclosure.
The documentation claims an automation-disclosure suffix is appended, but the shown send path copies and sends the raw message variable without adding that suffix.
SKILL.md: "所有消息会自动在末尾追加 `【OpenClaw 自动发送】`"; server.py: "pyperclip.copy(message)"
Either implement the suffix consistently in every send path or remove the claim, and show the exact outgoing text before sending.
If such a config file exists, messages intended for real recipients could be redirected to a different contact.
An undeclared local test_config.json can switch test_mode on and replace all requested recipients with a test contact.
config_file = os.path.join(os.path.dirname(__file__), "test_config.json") ... if test_mode: ... contacts = [test_contact for _ in contacts]
Remove test-mode recipient replacement from production, or document it clearly and require an explicit command-line opt-in before recipients are changed.
A bad or mistaken queue path could overwrite or delete files the process can access.
The tool schema allows a caller-controlled queue_file path, and the queue helpers write to and delete that path without a shown directory restriction.
"queue_file": {"type": "string", "description": "队列文件路径(可选,默认使用临时文件)"} ... if queue_file: return queue_file ... with open(path, 'w', encoding='utf-8') as f ... os.remove(path)Restrict queue files to a dedicated skill data directory, reject absolute paths and parent-directory traversal, and avoid exposing queue_file as a model-controlled argument.
Interrupted batches may leave message text and recipient lists on disk.
Batch mode stores contact names and message content in a local JSON queue until completion or cleanup.
queue_data = {"contacts": contacts, "message": message, "current_index": 0, "test_mode": test_mode} ... json.dump(queue_data, f, ensure_ascii=False, indent=2)Avoid putting highly sensitive content in batch queues, and manually remove send_queue.json after failures or aborted runs.
Users have less assurance about provenance and may install whatever current package versions pip resolves.
The required packages are reasonable for GUI automation, but the source is unknown and dependencies are unpinned.
Source: unknown; Homepage: none; SKILL.md: "pip install pyautogui pygetwindow pillow pyperclip"; requirements.txt: "pyautogui\npygetwindow\npillow\npyperclip"
Publish a clear source/homepage, pin dependency versions, and provide an install spec that matches the documented setup.