dingtalk-workspace-cli
Fail
Audited by Gen Agent Trust Hub on Mar 27, 2026
Risk Level: HIGHREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The skill provides installation commands that pipe remote scripts directly into the system shell (
shoriex). These scripts are hosted on the DingTalk-Real-AI GitHub organization. - [EXTERNAL_DOWNLOADS]: The installer downloads pre-compiled binaries and agent skill definitions from remote GitHub repositories to the local filesystem.
- [COMMAND_EXECUTION]: The skill performs its primary functions by executing the
dwsCLI tool via subprocess calls, including sensitive operations like authentication and data management. - [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection (Category 8).
- Ingestion points: The skill retrieves untrusted data from DingTalk APIs, such as contact details, message contents, and calendar events.
- Boundary markers: No explicit delimiters or instructions are provided to help the agent distinguish between data and instructions within the API responses.
- Capability inventory: The skill can execute shell commands via the
dwsbinary, write data to files (-o results.json), and perform network operations by sending messages or creating tasks in DingTalk. - Sanitization: The skill does not describe any validation or sanitization of the data retrieved from DingTalk before it is presented to the agent context.
Recommendations
- HIGH: Downloads and executes remote code from: https://raw.githubusercontent.com/DingTalk-Real-AI/dingtalk-workspace-cli/main/scripts/install.sh, https://raw.githubusercontent.com/DingTalk-Real-AI/dingtalk-workspace-cli/main/scripts/install-skills.sh - DO NOT USE without thorough review
Audit Metadata