← 返回 Skills 市场
DingTalk Push
作者
andrewqumm
· GitHub ↗
· v0.1.0
1633
总下载
1
收藏
12
当前安装
1
版本数
在 OpenClaw 中安装
/install dingtalk-push
功能描述
Send Markdown-formatted messages with type and @mentions to DingTalk group chats via bot webhook with optional signature verification.
使用说明 (SKILL.md)
skill: dingtalk-push
发送钉钉群聊机器人消息的技能。
触发条件
- 用户请求发送钉钉消息
- 定时任务需要推送通知到钉钉
- 需要集成钉钉群机器人到其他工作流
功能
- 发送 Markdown 格式消息到钉钉群
- 支持消息类型(success/warning/error/info)
- 支持 @指定人员和 @所有人
- 支持加签验证(安全)
使用方法
直接发送消息
在对话中直接使用:
发送钉钉消息 "定时任务完成"
发送钉钉 "服务器备份成功" --type success
通知钉钉群 "系统维护通知" --all
编程调用
// 调用 skill 工具
const result = await tools.dingtalk_push({
message: "定时任务完成",
type: "success"
});
命令行调用
node skills/dingtalk-push/send.js -m "消息内容"
node skills/dingtalk-push/send.js -m "警告" --type warning
node skills/dingtalk-push/send.js -m "错误" --type error --all
配置
需要设置以下环境变量或配置文件:
DINGTALK_WEBHOOK- 钉钉机器人Webhook地址DINGTALK_SECRET- 加签密钥(可选)
配置文件位置:~/.config/dingtalk-push/config.json
{
"webhook": "https://oapi.dingtalk.com/robot/send?access_token=xxx",
"secret": "SEC_xxx"
}
消息类型
| 类型 | Emoji | 适用场景 |
|---|---|---|
| info | ℹ️ | 普通通知 |
| success | ✅ | 成功完成任务 |
| warning | ⚠️ | 警告、需要关注 |
| error | ❌ | 错误、异常 |
输出
返回发送结果:
{
"success": true,
"messageId": "msg_xxx",
"timestamp": "2026-02-14T12:00:00Z"
}
依赖
- Node.js 16+
- axios (已内置在OpenClaw中)
安全使用建议
This skill appears to do exactly what it says: send Markdown messages to a DingTalk group via a webhook and optional signing secret. Before installing: (1) Verify and trust the webhook URL you provide — the webhook is a secret that can post into your group, so keep it private. (2) Note that the registry metadata omitted required env vars; you must set DINGTALK_WEBHOOK (and DINGTALK_SECRET if you use signing) or create the config file at ~/.config/dingtalk-push/config.json. (3) The skill reads config from your home config directory and the current working directory — avoid putting secrets in repositories or public folders. (4) The source has no homepage and an unknown owner; if you need higher assurance, review the small JS files yourself (they are readable and straightforward) or ask the author for provenance. (5) No external installs or unexpected network endpoints were found — the code only calls the provided webhook. If you plan to allow autonomous agent invocation, be aware the agent could send messages using that webhook, so restrict who can enable the skill and where the webhook posts.
功能分析
Type: OpenClaw Skill
Name: dingtalk-push
Version: 0.1.0
The skill is classified as suspicious due to two main vulnerabilities in `send.js`. Firstly, the `DINGTALK_WEBHOOK` is loaded from environment variables or configuration files, meaning if these sources are compromised, the skill could be coerced into sending messages to an arbitrary, attacker-controlled endpoint. While this is a configuration vulnerability rather than direct malicious intent by the skill, it represents a significant risk. Secondly, user-provided `message` and `title` inputs are directly embedded into Markdown without explicit sanitization by the skill, which could allow for Markdown injection (e.g., phishing links, external image loads for tracking) if an attacker controls the input, potentially impacting DingTalk users.
能力评估
Purpose & Capability
The skill is described as a DingTalk webhook messenger and the included files (send.js, tool.js) implement exactly that. The only minor incoherence: the registry metadata lists no required environment variables or primary credential, but both the SKILL.md and the code expect a DINGTALK_WEBHOOK and optional DINGTALK_SECRET (or a config file). This is likely an omission in the metadata rather than malicious behavior.
Instruction Scope
SKILL.md and the code limit actions to composing a Markdown message and POSTing it to the configured DingTalk webhook. The runtime reads configuration from environment variables or a small set of config file locations (~/.config/dingtalk-push/config.json, cwd .dingtalk-push.json, or the skill dir). It does not access unrelated system credentials, other network endpoints, or arbitrary files beyond those config paths.
Install Mechanism
No install spec or external downloads are used; the skill is instruction-only with local JS files. There is no fetching of third-party archives or packages at install time. Node.js 16+ is required to run the code (SKILL.md lists axios as available in the runtime).
Credentials
The only sensitive inputs required are the DingTalk webhook URL and optional secret — appropriate and proportionate for the stated function. However, the registry metadata does not declare these env vars (DINGTALK_WEBHOOK, DINGTALK_SECRET) as required; users should be aware the skill expects them even though the registry listing omitted them.
Persistence & Privilege
The skill does not request persistent elevated privileges, does not set always: true, and does not modify other skills or system-wide configuration. It runs as a normal skill and only performs outbound requests to the configured webhook.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install dingtalk-push - 安装完成后,直接呼叫该 Skill 的名称或使用
/dingtalk-push触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v0.1.0
Initial release of dingtalk-push skill.
- Send Markdown-format messages to DingTalk groups.
- Supports message types: success, warning, error, info.
- Allows @-mentioning specific users or all members.
- Includes secure signature verification option.
- Usable via direct commands, code, or CLI.
- Configurable with environment variables or config file.
元数据
常见问题
DingTalk Push 是什么?
Send Markdown-formatted messages with type and @mentions to DingTalk group chats via bot webhook with optional signature verification. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 1633 次。
如何安装 DingTalk Push?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install dingtalk-push」即可一键安装,无需额外配置。
DingTalk Push 是免费的吗?
是的,DingTalk Push 完全免费(开源免费),可自由下载、安装和使用。
DingTalk Push 支持哪些平台?
DingTalk Push 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 DingTalk Push?
由 andrewqumm(@andrewqumm)开发并维护,当前版本 v0.1.0。
推荐 Skills