registry  /  @xdxer/dingtalk-agent  /  0.1.2

@xdxer/dingtalk-agent@0.1.2

钉钉数字员工的 Skill-first 行为范式:全局 Skill 决策,CLI 固定事务边界,Workspace 按需。

AI Security Review

scanned 3h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. The package provides an explicit CLI command that installs a package-owned global agent skill and exposes it to Claude Code via symlink. No install-time execution or unconsented broad control-surface mutation is present.

Static reason
No blocking static signals were detected.
Trigger
User runs `dingtalk-agent skill install`, `upgrade`, or `uninstall`.
Impact
Changes future agent-session behavior through package-owned skill content.
Mechanism
Managed global skill copy and Claude Code skill symlink.
Rationale
The source implements first-party global agent-skill setup behind explicit user commands, so it warrants a warning under the extension lifecycle policy. No concrete malicious chain was found.
Evidence
package.jsondist/bin/dingtalk-agent.jsdist/src/skill-manager.jsdist/src/dws.jsskills/dingtalk-basic-behavior/SKILL.mdskills/dingtalk-basic-behavior~/.agents/skills/dingtalk-basic-behavior~/.claude/skills/dingtalk-basic-behavior

Decision evidence

public snapshot
AI called this Suspicious at 90.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • Explicit `skill install` copies a bundled skill into `~/.agents/skills/dingtalk-basic-behavior`.
  • The same command creates `~/.claude/skills/dingtalk-basic-behavior` symlink.
  • Skill lifecycle code can upgrade or uninstall only its marker-managed paths.
Evidence against
  • `package.json` has no preinstall/install/postinstall lifecycle hook.
  • Global skill mutation is reachable only through explicit `dingtalk-agent skill` subcommands.
  • `skill-manager.js` rejects unmanaged/conflicting paths and modified managed installs.
  • No direct network URLs, credential harvesting, eval/vm use, or remote payload loading found.
  • DingTalk access is delegated to explicitly invoked external `dws` commands.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemShell
Supply chain
HighEntropyStrings
ManifestNo manifest risk signals triggered.
scanned 23 file(s), 297 KB of source

Source & flagged code

0 flagged
No flagged code excerpts are attached to this scan.

Findings

4 Medium3 Low
MediumEnvironment Vars
MediumAi Review Evidence
MediumAi Review Evidence
MediumSuspicious Lifecycle Evidence
LowScripts Present
LowFilesystem
LowHigh Entropy Strings