dingtalk-openapi-skill
Pass
Audited by Gen Agent Trust Hub on Mar 29, 2026
Risk Level: SAFE
Full Analysis
- [EXTERNAL_DOWNLOADS]: Fetches a curated OpenAPI schema from the author's official GitHub repository (holon-run/uxc). This is a standard configuration pattern for the uxc ecosystem to define API surfaces.
- [COMMAND_EXECUTION]: Interfaces with the DingTalk API using the uxc command-line tool. The instructions include explicit safety checks, such as using help flags to inspect operations and requiring user confirmation before executing write operations.
- [CREDENTIALS_UNSAFE]: Demonstrates secure authentication by instructing users to store app keys and secrets in environment variables. It utilizes bearer token flows and uxc's bootstrap mechanism for automated token refresh, avoiding hardcoded secrets.
- [DATA_EXFILTRATION]: All network requests are directed to the legitimate DingTalk Open Platform (api.dingtalk.com). There is no evidence of unauthorized data transmission to third-party or untrusted domains.
Audit Metadata