← Back to Skills Marketplace
Dingtalk Csa
by
Andy Liang
· GitHub ↗
· v1.0.2
· MIT-0
104
Downloads
0
Stars
0
Active Installs
3
Versions
Install in OpenClaw
/install dingtalk-csa
Description
钉盘助手 (DingTalk Cloud Storage Assistant) - 管理钉钉云盘空间、文件和文档。用当用户要求读写钉盘文件、管理团队空间、上传下载文档、操作adoc文档时触发。也适用于钉钉文件分析、报告生成、团队协作等场景。触发词:钉盘、钉钉云盘、DingTalk storage、钉钉文件、钉钉文档。
README (SKILL.md)
钉盘助手 DingTalk Cloud Storage Assistant
管理钉钉云盘:团队空间、文件上传下载、钉钉文档读写、团队协作。
🔒 安全模型:读任意,写受限
核心原则:AI 可以读取任何可访问的空间,但只能写入指定的文件夹。
这确保了:
- ✅ AI 可以读取团队共享文件(用于分析、总结等)
- ✅ AI 只能在预批准的协作文件夹中写入
- ❌ 重要文件不会被意外修改或覆盖
配置写入白名单
在 SKILL.md 的 ALLOWED_WRITE_PATHS 中配置允许写入的位置:
# === 写入白名单 ===
# AI 只能写入以下位置
ALLOWED_WRITE_PATHS:
- spaceId: "YOUR_SPACE_ID"
parentDentryId: "YOUR_FOLDER_ID"
path: "/AI_Collab"
description: "AI协作文件夹 - AI只允许写入此文件夹"
执行规则:
- 读取:允许访问任何空间/文件夹 ✅
- 写入(上传文件、创建文档、创建文件夹):仅在白名单内 ✅
- 删除:不允许 ❌
- 任何写入操作前,必须先检查目标路径是否在白名单中
🔑 认证
所有 API 调用需要 access token,通过以下方式获取:
curl -X POST 'https://api.dingtalk.com/v1.0/oauth2/accessToken' \
-H 'Content-Type: application/json' \
-d '{"appKey": "'"$DINGTALK_APP_KEY"'", "appSecret": "'"$DINGTALK_APP_SECRET"'"}'
环境变量配置:
DINGTALK_APP_KEY— 钉钉应用的 AppKeyDINGTALK_APP_SECRET— 钉钉应用的 AppSecret(⚠️ 绝不要明文写在代码或配置文件中)
Token 有效期 2 小时,请缓存避免重复请求。
核心操作
1. 列出空间(读 ✅)
# 企业空间
curl -X GET "https://api.dingtalk.com/v1.0/drive/spaces?unionId=\x3CunionId>&spaceType=org&maxResults=50" \
-H "x-acs-dingtalk-access-token: \x3CTOKEN>"
2. 列出文件(读 ✅)
curl -X POST "https://api.dingtalk.com/v1.0/storage/spaces/{spaceId}/dentries/listAll" \
-H "x-acs-dingtalk-access-token: \x3CTOKEN>" \
-H 'Content-Type: application/json' \
-d '{"unionId": "\x3CunionId>"}'
3. 读取文档内容(读 ✅)
.adoc 格式的钉钉文档,用 uuid 作为 documentId:
curl -X GET "https://api.dingtalk.com/v1.0/doc/suites/documents/{documentId}/blocks?operatorId=\x3CunionId>" \
-H "x-acs-dingtalk-access-token: \x3CTOKEN>"
4. 写入文档内容(写 ⚠️ 检查白名单)
# 覆写整个文档(Markdown格式)
curl -X POST "https://api.dingtalk.com/v1.0/doc/suites/documents/{documentId}/overwriteContent?operatorId=\x3CunionId>" \
-H "x-acs-dingtalk-access-token: \x3CTOKEN>" \
-H 'Content-Type: application/json' \
-d '{"content": "# Markdown Content", "dataType": "markdown"}'
# 追加内容到文档
curl -X POST "https://api.dingtalk.com/v1.0/doc/suites/documents/{documentId}/content?operatorId=\x3CunionId>" \
-H "x-acs-dingtalk-access-token: \x3CTOKEN>" \
-H 'Content-Type: application/json' \
-d '{"content": {"type": "markdown", "content": "## New Section"}}'
5. 创建文件夹(写 ⚠️ 检查白名单)
curl -X POST "https://api.dingtalk.com/v1.0/storage/spaces/{spaceId}/dentries/{parentId}/folders" \
-H "x-acs-dingtalk-access-token: \x3CTOKEN>" \
-H 'Content-Type: application/json' \
-d '{"unionId": "\x3CunionId>", "name": "New Folder"}'
6. 上传文件(写 ⚠️ 检查白名单)
3步流程,详见 references/upload-guide.md
7. 下载文件(读 ✅)
curl -X POST "https://api.dingtalk.com/v1.0/storage/spaces/{spaceId}/dentries/{dentryId}/downloadInfos/query?unionId=\x3CunionId>" \
-H "x-acs-dingtalk-access-token: \x3CTOKEN>" \
-H 'Content-Type: application/json' \
-d '{"option": {"version": 1}}'
必需权限
核心权限(7个):
Storage.Space.Read- 钉盘应用盘空间读Storage.Space.Write- 钉盘应用盘空间写Storage.File.Read- 钉盘应用文件读Storage.File.Write- 钉盘应用文件写Storage.UploadInfo.Read- 钉盘上传信息读Storage.DownloadInfo.Read- 钉盘下载信息读企业存储文件下载信息读权限- 企业存储文件下载(配合#6)
参考文档
- permissions.md - 完整权限清单和开通指南
- permission-list-share.md - 可分享给管理员的权限清单
- upload-guide.md - 3步上传流程详解
Usage Guidance
This instruction-only skill appears to do what it says (manage DingTalk Drive) and legitimately needs an AppKey/AppSecret. Before installing: 1) resolve the metadata mismatch — ensure the platform shows DINGTALK_APP_KEY and DINGTALK_APP_SECRET as required so you can supply them securely (via secrets/env injection), not hard-coded; 2) only grant the DingTalk app the minimal permissions needed (prefer read-only where possible) and avoid enabling broad write/delete privileges; 3) configure and verify the ALLOWED_WRITE_PATHS whitelist in a safe test environment and confirm your agent honors it (the SKILL.md outlines the rule but enforcement depends on integrator/agent); 4) because the skill can read any accessible spaces, review which team spaces the app will have access to and limit scope to avoid exposing sensitive files; 5) note the source/homepage is unknown — if possible, verify the publisher (owner ID) or prefer a skill with a known, trusted source. If you need higher assurance, request the publisher to fix the metadata and provide an explicit statement or automated enforcement of the write whitelist.
Capability Analysis
Type: OpenClaw Skill
Name: dingtalk-csa
Version: 1.0.2
The dingtalk-csa skill is a legitimate tool for managing DingTalk Cloud Storage, providing instructions for the AI agent to interact with official DingTalk APIs. It includes a well-documented safety model in SKILL.md that instructs the agent to adhere to a write-access whitelist and explicitly forbids file deletion. The bundle contains comprehensive setup guides and uses standard shell commands (curl) for API interactions without any evidence of malicious intent, data exfiltration, or obfuscation.
Capability Tags
Capability Assessment
Purpose & Capability
The skill's name and instructions clearly target DingTalk cloud storage and document operations; requiring an AppKey/AppSecret is appropriate. However, the registry metadata (Requirements section) claims 'Required env vars: none' and 'Primary credential: none' while the SKILL.md declares DINGTALK_APP_KEY and DINGTALK_APP_SECRET — this mismatch is an inconsistency to resolve.
Instruction Scope
SKILL.md is instruction-only and documents only DingTalk API calls (list, read, upload, commit, download, doc overwrite/append). It states a write-whitelist (ALLOWED_WRITE_PATHS) and forbids deletions, which is good practice, but enforcement appears procedural (instructions) rather than enforced by shipped code — the agent (or integrator) must correctly implement and honor the whitelist. There are no instructions to read unrelated local files or unrelated env vars.
Install Mechanism
No install spec and no code files to execute (instruction-only). No downloads or archive extraction are present, so disk-write/install risk is low.
Credentials
The only sensitive data the skill requires are AppKey and AppSecret for DingTalk — these are appropriate and expected. The inconsistency is that the top-level registry metadata did not list these required env vars while SKILL.md does. Confirming that the platform will prompt for/provide secure env injection (not plaintext in config) is important.
Persistence & Privilege
The skill is not marked always:true and does not request system-level persistence or modifications to other skills. Autonomous invocation is allowed by default (normal).
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install dingtalk-csa - After installation, invoke the skill by name or use
/dingtalk-csa - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.2
Added environment variable declarations in metadata. All credentials now use env vars.
v1.0.1
Security fix
v1.0.0
首个版本:空间管理、文件操作、文档读写、安全读写分离模型、完整权限指南
Metadata
Frequently Asked Questions
What is Dingtalk Csa?
钉盘助手 (DingTalk Cloud Storage Assistant) - 管理钉钉云盘空间、文件和文档。用当用户要求读写钉盘文件、管理团队空间、上传下载文档、操作adoc文档时触发。也适用于钉钉文件分析、报告生成、团队协作等场景。触发词:钉盘、钉钉云盘、DingTalk storage、钉钉文件、钉钉文档。 It is an AI Agent Skill for Claude Code / OpenClaw, with 104 downloads so far.
How do I install Dingtalk Csa?
Run "/install dingtalk-csa" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Dingtalk Csa free?
Yes, Dingtalk Csa is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does Dingtalk Csa support?
Dingtalk Csa is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Dingtalk Csa?
It is built and maintained by Andy Liang (@andylikescodes); the current version is v1.0.2.
More Skills