dingtalk-message
Warn
Audited by Gen Agent Trust Hub on Mar 17, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTIONEXTERNAL_DOWNLOADSCREDENTIALS_UNSAFE
Full Analysis
- [COMMAND_EXECUTION]: The skill explicitly instructs the agent to create shell scripts in the /tmp/ directory and execute them using bash for all operations involving variables or API calls. This pattern of dynamic script generation and execution increases the risk of command injection if parameters or message content are not strictly sanitized before being written to the script file.\n- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it processes untrusted message content while possessing high-privilege capabilities like file-writing and shell execution. The current instructions lack specific sanitization or escaping guidelines for the message payload.\n
- Ingestion points: User-provided message content and callback data processed via sessionWebhook.\n
- Boundary markers: Not specified for message content.\n
- Capability inventory: Local file creation (create_file), shell execution (bash), and network access (curl) across both SKILL.md and references/api.md.\n
- Sanitization: No explicit instructions for sanitizing or escaping content before script interpolation.\n- [CREDENTIALS_UNSAFE]: The skill manages sensitive DingTalk credentials, including APP_SECRET and WEBHOOK_SECRET, by storing them in a local plain-text file at ~/.dingtalk-skills/config. While it provides instructions to mask these in outputs, the storage of secrets in a predictable local file path represents a potential exposure risk.\n- [EXTERNAL_DOWNLOADS]: The skill performs network requests using curl to interact with official DingTalk API domains such as api.dingtalk.com and oapi.dingtalk.com. These are recognized as well-known service endpoints and are documented neutrally.
Audit Metadata