中文 EN

Scan Report

Scan New Files

Low Risk — Risk Score 20/100
Last scan:20 hr ago Rescan
20 /100
dingtalk-cli
A skill wrapper for dingtalk-cli CLI tool to interact with DingTalk document APIs
A legitimate documentation-only skill that wraps the public `dingtalk-cli` PyPI package for DingTalk document operations, with declared credential handling and external dependency.
Skill Namedingtalk-cli
Duration29.1s
Enginepi
Safe to install
Consider pinning the dingtalk-cli version (e.g., `dingtalk-cli==x.y.z`) to mitigate supply chain risks. No immediate security concerns require blocking this skill.

Findings 1 items

Severity Finding Location
Medium
Unpinned PyPI dependency Supply Chain
SKILL.md instructs 'pip install dingtalk-cli' without specifying a version. This allows a malicious future version to be installed if the package is compromised.
pip install dingtalk-cli
→ Pin to a specific version: pip install dingtalk-cli==x.y.z
 SKILL.md:11
ResourceDeclaredInferredStatusEvidence
Network READ READ ✓ Aligned SKILL.md: Documents CLI making API calls to DingTalk servers
Filesystem NONE READ ✓ Aligned SKILL.md: Config stored in ~/.dingtalk-cli/config.json (declared)
Shell NONE NONE SKILL.md: Only documents pip install and CLI usage; no subprocess calls
Environment NONE READ ✓ Aligned SKILL.md: Documents DINGTALK_* environment variables for credential override
1 findings
🔗
Medium External URL 外部 URL
https://alidocs.dingtalk.com/i/nodes/xxx
SKILL.md:67

File Tree

2 files · 2.7 KB · 101 lines
Markdown 1f · 100L Python 1f · 1L
├─ 🐍 __init__.py Python 1L · 13 B
└─ 📝 SKILL.md Markdown 100L · 2.7 KB

Dependencies 1 items

PackageVersionSourceKnown VulnsNotes
dingtalk-cli unpinned pip No Version not pinned; recommend pinning to specific release

Security Positives

✓ Skill is purely documentation with no hidden implementation code
✓ All credential handling is declared in SKILL.md
✓ Network behavior is explicitly documented as the core functionality
✓ No suspicious patterns found (no base64, no eval, no subprocess calls in skill)
✓ __init__.py contains only __all__ = []
✓ No sensitive files accessed (no ~/.ssh, ~/.aws, .env reading)
✓ No obfuscation or anti-analysis techniques observed
✓ External URL (alidocs.dingtalk.com) is the legitimate DingTalk documentation domain