Is andrewqumm/dingtalk-push safe?

https://github.com/openclaw/skills/tree/main/skills/andrewqumm/dingtalk-push

85
SAFE

This skill is a straightforward DingTalk group chat robot notification sender using Node.js built-in modules with no obfuscation, no external dependencies, and no malicious behavior detected. The primary risk is inherent to its purpose: it creates an outbound data channel to a configurable HTTP endpoint, which could theoretically be abused for data exfiltration if an attacker manipulates message content or redirects the webhook URL via a rogue config file in the working directory.

Category Scores

Prompt Injection 92/100 · 30%
Data Exfiltration 78/100 · 25%
Code Execution 75/100 · 20%
Clone Behavior 95/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 65/100 · 5%

Findings (6)

MEDIUM Outbound data channel to configurable endpoint -15

The skill's core function is sending arbitrary message content to a user-configured webhook URL via HTTP POST. While this is the intended purpose, it creates an outbound data channel that could be abused to exfiltrate sensitive data if an attacker manipulates the agent into sending conversation context, file contents, or environment details as 'notification messages'.

LOW Config loaded from current working directory -7

loadConfig() searches process.cwd()/.dingtalk-push.json as one of its config sources. If a malicious .dingtalk-push.json file exists in the working directory (e.g., planted in a cloned repo), it could silently redirect all messages to an attacker-controlled endpoint instead of the user's intended DingTalk webhook.

LOW Executable JavaScript with outbound HTTP capability -15

send.js is a fully executable Node.js script with network capabilities using built-in https/http modules. While the code is clean and contains no obfuscation, dynamic evaluation, or child process spawning, it does make outbound HTTP requests to arbitrary URLs based on configuration.

LOW Supports unencrypted HTTP connections -10

The send.js code checks the URL protocol and will use the http module for non-HTTPS URLs. This means if the webhook is misconfigured with http://, messages (including any sensitive content) would be transmitted in cleartext.

INFO SKILL.md instructs shell command execution -8

The skill documentation shows command-line usage patterns that instruct the agent to run 'node skills/dingtalk-push/send.js' with various arguments. This is expected behavior for a CLI-capable skill but does expand the agent's execution surface.

INFO Mismatched lock.json reference -5

The .clawhub/lock.json file references 'academic-research-hub' skill rather than 'dingtalk-push', suggesting this was copied from another skill template. Not a security issue but indicates careless packaging.