dingtalk-workspace-cli

CRITICAL E005: Suspicious download URL detected in skill instructions.

• Suspicious download URL detected (high risk: 0.80). The set includes direct raw GitHub links to shell and PowerShell installer scripts (install.sh / install.ps1) and a GitHub repo from an unverified/possibly impersonating account (DingTalk-Real-AI) with one‑liner curl|sh and irm|iex install patterns — running those without inspecting the content is high risk even though some other links (open-dev.dingtalk.com, 127.0.0.1) look legitimate.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). Yes — the SKILL.md explicitly instructs fetching and executing public GitHub install scripts (e.g., "curl -fsSL https://raw.githubusercontent.com/.../install-skills.sh | sh") to install Agent Skills into ./.agents/skills/dws which agents auto-discover, meaning untrusted public content from GitHub can be ingested and directly change agent capabilities/behavior.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 1.00). The skill includes runtime installer commands that fetch and execute remote scripts (e.g., curl -fsSL https://raw.githubusercontent.com/DingTalk-Real-AI/dingtalk-workspace-cli/main/scripts/install.sh | sh, https://raw.githubusercontent.com/DingTalk-Real-AI/dingtalk-workspace-cli/main/scripts/install-skills.sh | sh, and irm https://raw.githubusercontent.com/DingTalk-Real-AI/dingtalk-workspace-cli/main/scripts/install.ps1 | iex), which run remote code and are used to install the CLI/agent skills required for the skill to function.