ClawHub

DingTalk Sheets

v0.0.6

管理钉钉在线表格中的表格文件、工作表和单元格数据。当用户想要创建表格、查看工作表、读取范围数据、写入单元格、追加行数据或查找单元格时使用。也适用于用户提到钉钉表格、电子表格、在线表格、工作表、单元格、报表、CSV 导入导出等关键词的场景。不要在用户需要操作钉钉文档正文、管理日程、发消息或处理审批流时触发。

0· 89·0 current·0 all-time
byChen Wei@zmwei666
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description match what the code and SKILL.md do: all actions are spreadsheet operations via mcporter. Required binary (mcporter) and primary env var (DINGTALK_MCP_SHEETS_URL) are appropriate for a MCP-backed DingTalk Sheets integration.
Instruction Scope
Runtime instructions are narrowly scoped to calling mcporter tools (create_workspace_sheet, get_range, update_range, etc.) and to local helper scripts for CSV import/export. The scripts explicitly restrict filesystem access to a workspace via resolve_safe_path. Minor note: the code reads OPENCLAW_WORKSPACE to determine allowed local paths, but that env var is not listed in requires.env in SKILL.md; this is a limited scope issue (workspace control) rather than broad data access.
Install Mechanism
No ad-hoc download/install steps. The repo contains Python helper scripts and package.json metadata but no installer that pulls arbitrary code at runtime. Execution relies on the mcporter binary being present (expected for MCP integrations).
Credentials
Only one declared credential (DINGTALK_MCP_SHEETS_URL) is required and is appropriate because it contains the MCP access token. Small inconsistency: helper code uses OPENCLAW_WORKSPACE to constrain file access but that env var isn't listed in requires.env; OPENCLAW_WORKSPACE is optional and used only to limit local filesystem actions.
Persistence & Privilege
Skill is not always-enabled (always: false) and does not request system-wide configuration changes. It relies on mcporter for credential storage/usage and does not require elevated or persistent platform privileges beyond normal skill invocation.
Assessment
This skill appears to do exactly what it claims: it calls DingTalk MCP tools through the mcporter CLI and provides local scripts for CSV import/export. Before installing: ensure you trust the mcporter binary and the MCP endpoint (DINGTALK_MCP_SHEETS_URL) because the URL contains an access token; prefer storing the URL in mcporter config rather than exposing it in plaintext environment variables or shared files. Note that the helper scripts respect OPENCLAW_WORKSPACE to limit filesystem access—set that env var if you want to control where imports/exports are allowed. If you need higher assurance, run the included tests (python tests/test_security.py) and inspect/verify the mcporter installation source.

Like a lobster shell, security has layers — review code before you run it.

latestvk97b8hn5cyxz9dp0tdsfx679fd84vvtx

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Binsmcporter
EnvDINGTALK_MCP_SHEETS_URL
Primary envDINGTALK_MCP_SHEETS_URL

Comments