Security audit

给钉钉的联系人或者群发送信息

Security checks across malware telemetry and agentic risk

Overview

This skill appears to do DingTalk message automation as advertised, but it can send real messages from the user's logged-in account without confirmation and exposes an unnecessary arbitrary queue-file path.

Review before installing. Only use this if you are comfortable giving it control of your keyboard, mouse, clipboard, and logged-in DingTalk session. Verify recipients and message text manually before each send, avoid batch mode for sensitive messages, do not provide custom queue_file paths, and prefer pinned dependency versions.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration

Findings (13)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 91% confidence
Finding: The skill documentation and file structure indicate local file read/write behavior via temporary queue state (`send_queue.json`), but no declared permissions are shown. Undeclared capabilities reduce transparency and can mislead users or policy enforcement about what the skill can access or modify on disk.

Description-Behavior Mismatch

Medium

Confidence: 89% confidence
Finding: The published skill description says it sends a message to a specified contact, but the implementation also exposes a batch-sending workflow with persistent queue state across calls. This hidden expansion of capability matters because it enables broader message propagation than users or reviewers may expect, increasing the risk of misuse, spam, or unintended mass delivery.

Context-Inappropriate Capability

High

Confidence: 98% confidence
Finding: The tool accepts an arbitrary queue_file path and then reads, overwrites, and deletes that path. This creates an unintended filesystem primitive unrelated to DingTalk messaging, allowing an attacker or prompt injection to tamper with accessible files, destroy data, or abuse the skill as a file-modification gadget.

Vague Triggers

Medium

Confidence: 86% confidence
Finding: The trigger phrase `发钉钉` is broad enough to overlap with normal conversational requests, which can cause accidental invocation of an automation that sends real messages. In this skill, accidental activation is more dangerous than usual because it drives a desktop messaging client and can contact unintended recipients.

Missing User Warnings

Medium

Confidence: 83% confidence
Finding: The skill supports batch automated messaging to multiple contacts, but the description does not clearly warn about the operational and social risks of mass messaging. Without prominent disclosure, users may trigger spam-like behavior, message the wrong people at scale, or violate workplace communication policies.

Missing User Warnings

High

Confidence: 97% confidence
Finding: This code performs desktop automation that opens DingTalk, changes window state, clicks hard-coded screen coordinates, pastes clipboard content, and presses Enter to send messages without any confirmation gate. Because GUI state may differ from assumptions, the automation can act on the wrong window or conversation and transmit unintended content immediately.

Missing User Warnings

High

Confidence: 98% confidence
Finding: The batch tool supports repeated message transmission to multiple recipients across successive calls, with persistent progress tracking. In the context of a desktop automation skill, this meaningfully increases abuse potential by enabling scalable spam, social engineering, or rapid unintended outreach without renewed user approval each step.

Missing User Warnings

Medium

Confidence: 80% confidence
Finding: The code silently writes and deletes a queue file as part of operation, without surfacing that persistent local state is being created. While less severe than arbitrary-path access, undisclosed persistence can surprise users, leak contact/message metadata to disk, and complicate forensic understanding of what the skill stores.

Unpinned Dependencies

Low

Category: Supply Chain
Content: pyautogui pygetwindow pillow pyperclip
Confidence: 98% confidence
Finding: pyautogui

Unpinned Dependencies

Low

Category: Supply Chain
Content: pyautogui pygetwindow pillow pyperclip
Confidence: 98% confidence
Finding: pygetwindow

Unpinned Dependencies

Low

Category: Supply Chain
Content: pyautogui pygetwindow pillow pyperclip
Confidence: 99% confidence
Finding: pillow

Unpinned Dependencies

Low

Category: Supply Chain
Content: pyautogui pygetwindow pillow pyperclip
Confidence: 98% confidence
Finding: pyperclip

Known Vulnerable Dependency: pillow — 10 advisory(ies): CVE-2016-2533 (Pillow buffer overflow in ImagingPcdDecode); CVE-2023-50447 (Arbitrary Code Execution in Pillow); CVE-2021-27922 (Pillow Uncontrolled Resource Consumption) +7 more

Critical

Category: Supply Chain
Confidence: 94% confidence
Finding: pillow

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.