扫描报告
20 /100
dingtalk-cli
A skill wrapper for dingtalk-cli CLI tool to interact with DingTalk document APIs
A legitimate documentation-only skill that wraps the public `dingtalk-cli` PyPI package for DingTalk document operations, with declared credential handling and external dependency.
可以安装
Consider pinning the dingtalk-cli version (e.g., `dingtalk-cli==x.y.z`) to mitigate supply chain risks. No immediate security concerns require blocking this skill.
安全发现 1 项
| 严重性 | 安全发现 | 位置 |
|---|---|---|
| 中危 | Unpinned PyPI dependency 供应链 | SKILL.md:11 |
| 资源类型 | 声明权限 | 推断权限 | 状态 | 证据 |
|---|---|---|---|---|
| 网络访问 | READ | READ | ✓ 一致 | SKILL.md: Documents CLI making API calls to DingTalk servers |
| 文件系统 | NONE | READ | ✓ 一致 | SKILL.md: Config stored in ~/.dingtalk-cli/config.json (declared) |
| 命令执行 | NONE | NONE | — | SKILL.md: Only documents pip install and CLI usage; no subprocess calls |
| 环境变量 | NONE | READ | ✓ 一致 | SKILL.md: Documents DINGTALK_* environment variables for credential override |
1 项发现
中危 外部 URL 外部 URL
https://alidocs.dingtalk.com/i/nodes/xxx SKILL.md:67 目录结构
2 文件 · 2.7 KB · 101 行 Markdown 1f · 100L
Python 1f · 1L
├─
__init__.py
Python
└─
SKILL.md
Markdown
依赖分析 1 项
| 包名 | 版本 | 来源 | 已知漏洞 | 备注 |
|---|---|---|---|---|
dingtalk-cli | unpinned | pip | 否 | Version not pinned; recommend pinning to specific release |
安全亮点
✓ Skill is purely documentation with no hidden implementation code
✓ All credential handling is declared in SKILL.md
✓ Network behavior is explicitly documented as the core functionality
✓ No suspicious patterns found (no base64, no eval, no subprocess calls in skill)
✓ __init__.py contains only __all__ = []
✓ No sensitive files accessed (no ~/.ssh, ~/.aws, .env reading)
✓ No obfuscation or anti-analysis techniques observed
✓ External URL (alidocs.dingtalk.com) is the legitimate DingTalk documentation domain