by 安全扫描
OpenClaw
安全
high confidenceThis skill's code and instructions match its stated purpose (sending DingTalk group messages via a webhook); the requested configuration (webhook URL and optional signing secret) is appropriate — though the registry metadata omits declaring those env vars and the author/source is unknown so confirm trust before installing.
评估建议
This skill appears to do exactly what it says: send Markdown messages to a DingTalk group via a webhook and optional signing secret. Before installing: (1) Verify and trust the webhook URL you provide — the webhook is a secret that can post into your group, so keep it private. (2) Note that the registry metadata omitted required env vars; you must set DINGTALK_WEBHOOK (and DINGTALK_SECRET if you use signing) or create the config file at ~/.config/dingtalk-push/config.json. (3) The skill reads co...详细分析 ▾
ℹ 用途与能力
The skill is described as a DingTalk webhook messenger and the included files (send.js, tool.js) implement exactly that. The only minor incoherence: the registry metadata lists no required environment variables or primary credential, but both the SKILL.md and the code expect a DINGTALK_WEBHOOK and optional DINGTALK_SECRET (or a config file). This is likely an omission in the metadata rather than malicious behavior.
✓ 指令范围
SKILL.md and the code limit actions to composing a Markdown message and POSTing it to the configured DingTalk webhook. The runtime reads configuration from environment variables or a small set of config file locations (~/.config/dingtalk-push/config.json, cwd .dingtalk-push.json, or the skill dir). It does not access unrelated system credentials, other network endpoints, or arbitrary files beyond those config paths.
✓ 安装机制
No install spec or external downloads are used; the skill is instruction-only with local JS files. There is no fetching of third-party archives or packages at install time. Node.js 16+ is required to run the code (SKILL.md lists axios as available in the runtime).
ℹ 凭证需求
The only sensitive inputs required are the DingTalk webhook URL and optional secret — appropriate and proportionate for the stated function. However, the registry metadata does not declare these env vars (DINGTALK_WEBHOOK, DINGTALK_SECRET) as required; users should be aware the skill expects them even though the registry listing omitted them.
✓ 持久化与权限
The skill does not request persistent elevated privileges, does not set always: true, and does not modify other skills or system-wide configuration. It runs as a normal skill and only performs outbound requests to the configured webhook.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv0.1.02026/2/14
Initial release of dingtalk-push skill. - Send Markdown-format messages to DingTalk groups. - Supports message types: success, warning, error, info. - Allows @-mentioning specific users or all members. - Includes secure signature verification option. - Usable via direct commands, code, or CLI. - Configurable with environment variables or config file.
● 可疑
安装命令 点击复制
官方npx clawhub@latest install dingtalk-push
镜像加速npx clawhub@latest install dingtalk-push --registry https://cn.clawhub-mirror.com
数据来源:ClawHub ↗ · 中文优化:龙虾技能库
OpenClaw 技能定制 / 插件定制 / 私有工作流定制
免费技能或插件可能存在安全风险,如需更匹配、更安全的方案,建议联系付费定制