← Back to Skills Marketplace
andrewqumm

DingTalk Push

by andrewqumm · GitHub ↗ · v0.1.0
cross-platform ⚠ suspicious
1633
Downloads
1
Stars
12
Active Installs
1
Versions
Install in OpenClaw
/install dingtalk-push
Description
Send Markdown-formatted messages with type and @mentions to DingTalk group chats via bot webhook with optional signature verification.
README (SKILL.md)

skill: dingtalk-push

发送钉钉群聊机器人消息的技能。

触发条件

  • 用户请求发送钉钉消息
  • 定时任务需要推送通知到钉钉
  • 需要集成钉钉群机器人到其他工作流

功能

  • 发送 Markdown 格式消息到钉钉群
  • 支持消息类型(success/warning/error/info)
  • 支持 @指定人员和 @所有人
  • 支持加签验证(安全)

使用方法

直接发送消息

在对话中直接使用:

发送钉钉消息 "定时任务完成"
发送钉钉 "服务器备份成功" --type success
通知钉钉群 "系统维护通知" --all

编程调用

// 调用 skill 工具
const result = await tools.dingtalk_push({
  message: "定时任务完成",
  type: "success"
});

命令行调用

node skills/dingtalk-push/send.js -m "消息内容"
node skills/dingtalk-push/send.js -m "警告" --type warning
node skills/dingtalk-push/send.js -m "错误" --type error --all

配置

需要设置以下环境变量或配置文件:

  • DINGTALK_WEBHOOK - 钉钉机器人Webhook地址
  • DINGTALK_SECRET - 加签密钥(可选)

配置文件位置:~/.config/dingtalk-push/config.json

{
  "webhook": "https://oapi.dingtalk.com/robot/send?access_token=xxx",
  "secret": "SEC_xxx"
}

消息类型

类型 Emoji 适用场景
info ℹ️ 普通通知
success 成功完成任务
warning ⚠️ 警告、需要关注
error 错误、异常

输出

返回发送结果:

{
  "success": true,
  "messageId": "msg_xxx",
  "timestamp": "2026-02-14T12:00:00Z"
}

依赖

  • Node.js 16+
  • axios (已内置在OpenClaw中)
Usage Guidance
This skill appears to do exactly what it says: send Markdown messages to a DingTalk group via a webhook and optional signing secret. Before installing: (1) Verify and trust the webhook URL you provide — the webhook is a secret that can post into your group, so keep it private. (2) Note that the registry metadata omitted required env vars; you must set DINGTALK_WEBHOOK (and DINGTALK_SECRET if you use signing) or create the config file at ~/.config/dingtalk-push/config.json. (3) The skill reads config from your home config directory and the current working directory — avoid putting secrets in repositories or public folders. (4) The source has no homepage and an unknown owner; if you need higher assurance, review the small JS files yourself (they are readable and straightforward) or ask the author for provenance. (5) No external installs or unexpected network endpoints were found — the code only calls the provided webhook. If you plan to allow autonomous agent invocation, be aware the agent could send messages using that webhook, so restrict who can enable the skill and where the webhook posts.
Capability Analysis
Type: OpenClaw Skill Name: dingtalk-push Version: 0.1.0 The skill is classified as suspicious due to two main vulnerabilities in `send.js`. Firstly, the `DINGTALK_WEBHOOK` is loaded from environment variables or configuration files, meaning if these sources are compromised, the skill could be coerced into sending messages to an arbitrary, attacker-controlled endpoint. While this is a configuration vulnerability rather than direct malicious intent by the skill, it represents a significant risk. Secondly, user-provided `message` and `title` inputs are directly embedded into Markdown without explicit sanitization by the skill, which could allow for Markdown injection (e.g., phishing links, external image loads for tracking) if an attacker controls the input, potentially impacting DingTalk users.
Capability Assessment
Purpose & Capability
The skill is described as a DingTalk webhook messenger and the included files (send.js, tool.js) implement exactly that. The only minor incoherence: the registry metadata lists no required environment variables or primary credential, but both the SKILL.md and the code expect a DINGTALK_WEBHOOK and optional DINGTALK_SECRET (or a config file). This is likely an omission in the metadata rather than malicious behavior.
Instruction Scope
SKILL.md and the code limit actions to composing a Markdown message and POSTing it to the configured DingTalk webhook. The runtime reads configuration from environment variables or a small set of config file locations (~/.config/dingtalk-push/config.json, cwd .dingtalk-push.json, or the skill dir). It does not access unrelated system credentials, other network endpoints, or arbitrary files beyond those config paths.
Install Mechanism
No install spec or external downloads are used; the skill is instruction-only with local JS files. There is no fetching of third-party archives or packages at install time. Node.js 16+ is required to run the code (SKILL.md lists axios as available in the runtime).
Credentials
The only sensitive inputs required are the DingTalk webhook URL and optional secret — appropriate and proportionate for the stated function. However, the registry metadata does not declare these env vars (DINGTALK_WEBHOOK, DINGTALK_SECRET) as required; users should be aware the skill expects them even though the registry listing omitted them.
Persistence & Privilege
The skill does not request persistent elevated privileges, does not set always: true, and does not modify other skills or system-wide configuration. It runs as a normal skill and only performs outbound requests to the configured webhook.
How to Use
  1. Make sure OpenClaw is installed (local or Docker)
  2. Run the install command in chat: /install dingtalk-push
  3. After installation, invoke the skill by name or use /dingtalk-push
  4. Provide required inputs per the skill's parameter spec and get structured output
Version History
v0.1.0
Initial release of dingtalk-push skill. - Send Markdown-format messages to DingTalk groups. - Supports message types: success, warning, error, info. - Allows @-mentioning specific users or all members. - Includes secure signature verification option. - Usable via direct commands, code, or CLI. - Configurable with environment variables or config file.
Metadata
Slug dingtalk-push
Version 0.1.0
License
All-time Installs 15
Active Installs 12
Total Versions 1
Frequently Asked Questions

What is DingTalk Push?

Send Markdown-formatted messages with type and @mentions to DingTalk group chats via bot webhook with optional signature verification. It is an AI Agent Skill for Claude Code / OpenClaw, with 1633 downloads so far.

How do I install DingTalk Push?

Run "/install dingtalk-push" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is DingTalk Push free?

Yes, DingTalk Push is completely free (open-source). You can download, install and use it at no cost.

Which platforms does DingTalk Push support?

DingTalk Push is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created DingTalk Push?

It is built and maintained by andrewqumm (@andrewqumm); the current version is v0.1.0.

More Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191113 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 Comments