← 返回 Skills 市场

Keplerjai Dingtalk Attendance

Name: Keplerjai Dingtalk Attendance
Author: renjicode

作者任佶 · GitHub ↗ · v1.0.0 · MIT-0

cross-platform ⚠ suspicious

总下载

当前安装

版本数

在 OpenClaw 中安装

/install keplerjai-dingtalk-attendance

功能描述

从钉钉开放平台获取员工考勤数据，并保存到本地或推送到指定渠道。

使用说明 (SKILL.md)

\r \r

钉钉考勤数据获取技能\r

功能描述\r

定时从钉钉开放平台获取员工考勤数据，并保存到本地或推送到指定渠道。\r \r

配置步骤\r

1. 钉钉开放平台配置\r

访问 https://open.dingtalk.com\r
创建企业内部应用\r
获取 AppKey 和 AppSecret\r
添加应用权限：\r
- 考勤管理权限\r
- 通讯录权限（获取员工信息）\r
企业管理员审批授权\r \r

2. 本地配置\r

复制 .env.example 为 .env 并填写：\r

DINGTALK_APP_KEY=你的 AppKey\r
DINGTALK_APP_SECRET=你的 AppSecret\r
DINGTALK_AGENT_ID=应用的 agentId\r
OUTPUT_DIR=./data/attendance\r
OUTPUT_FORMAT=json\r
```\r
\r
执行规则：\r
- 仅使用技能目录下的 `.env` 读取凭证与输出配置。\r
- 不依赖 `config.json`。\r
- 若 `.env` 已存在且字段完整，直接执行，不要重复要求用户在对话中提供凭证。\r
\r
建议先做本地自检：\r
- 确认 `.env` 文件在本技能根目录，与 `index.js` 同级。\r
- 确认包含 `DINGTALK_APP_KEY` 和 `DINGTALK_APP_SECRET`。\r
- 确认从本技能目录执行 `node index.js`（避免在其他目录启动导致找错文件）。\r
\r
Windows PowerShell 示例：\r
```powershell\r
Copy-Item .env.example .env\r
node index.js\r
```\r
\r
macOS/Linux 示例：\r
```bash\r
cp .env.example .env\r
node index.js\r
```\r
\r
### 3. 安装依赖\r
```bash\r
npm install axios moment\r
```\r
\r
## 使用方法\r
\r
### 手动运行\r
```bash\r
cd keplerjai-dingtalk-attendance\r
node index.js\r
```\r
\r
### 定时任务（推荐）\r
在 OpenClaw 中配置 cron 任务，每天自动获取前一天的考勤数据。\r
\r
## 输出数据\r
- 打卡记录（JSON/CSV）\r
- 考勤日报/月报\r
- 异常考勤提醒\r
\r
## 注意事项\r
- API 调用有频率限制，建议定时获取而非实时\r
- 需要企业管理员授权\r
- 敏感数据请妥善保管\r
\r
## Agent 执行约定\r
- 先读取本技能目录下的 `.env` 再执行任务。\r
- 若缺少必要字段，仅提示“本地 `.env` 缺少必填项”，不要要求用户在聊天中粘贴密钥。\r
- 默认返回考勤结果与输出文件位置，不回显任何密钥值。\r

安全使用建议

What to consider before installing/running: - This skill does require DingTalk credentials (DINGTALK_APP_KEY and DINGTALK_APP_SECRET, plus optional agent/app IDs) even though the registry metadata lists none — do not paste secrets into chat; store them only in the .env in the skill directory as instructed. - The repo includes Node and Python code. Review index.js, export_excel.py and any config.json before running. index.js will call DingTalk APIs and save data locally under data/attendance and data/excel. - The Python exporter will automatically attempt to pip-install openpyxl at runtime if not present (export_excel.py uses os.system('pip install openpyxl -q')). That causes network access and package installation — if you prefer control, pre-install dependencies yourself (pip install -r requirements.txt and npm install) and remove/disable the auto-install line. - SKILL.md and README are inconsistent: SKILL.md's npm install step omits dotenv (which index.js requires), and SKILL.md says it won't use config.json but index.js will read config.json as a fallback. Treat those as documentation bugs and verify actual behavior locally. - Run initially in an isolated environment (VM, container, or isolated project), as the code will perform network calls to oapi.dingtalk.com and may install packages from registries. - Verify that the application will only be given minimal DingTalk permissions required for the task and that the hosting environment has least privilege (don't run as root). Consider rotating credentials after initial tests. - If you need higher assurance: audit package-lock.json / package.json for dependencies, run 'npm audit' and 'pip audit' (or equivalent), and consider removing the auto-install behavior or pinning dependency versions before production use. Overall: the functionality matches the stated purpose, but the manifest/instructions inconsistencies and the runtime auto-install behavior make this suspicious rather than clearly benign. Inspect and run it in an isolated/test environment and address the documentation and install issues before trusting it with production credentials.

功能分析

Type: OpenClaw Skill Name: keplerjai-dingtalk-attendance Version: 1.0.0 The skill bundle is designed to fetch DingTalk attendance data and generate Excel reports. It is classified as suspicious due to high-risk execution patterns, specifically the use of 'os.system' in 'export_excel.py' to automatically install Python dependencies and 'child_process.exec' in 'index.js' to run shell commands. While the 'index.js' script implements date validation to mitigate command injection, these behaviors represent significant security vulnerabilities. The 'SKILL.md' file contains well-defined instructions to prevent the AI agent from leaking API credentials (AppKey/AppSecret) into the chat interface, which is a positive security measure.

能力评估

⚠ Purpose & Capability

The code (index.js, export_excel.py, summary.py) implements a DingTalk attendance fetcher and exporter which is coherent with the skill description. However the registry metadata claims 'Required env vars: none' and 'instruction-only', which is false: the code requires DINGTALK_APP_KEY / DINGTALK_APP_SECRET (and optionally agent/app IDs) and ships Node/Python code—metadata under-declares required credentials and files.

⚠ Instruction Scope

SKILL.md instructs the agent to read a .env in the skill directory and not to ask users to paste keys in chat. The code does read .env but also falls back to config.json (index.js loads fileConfig) despite SKILL.md saying '不依赖 config.json'. The runtime actions are limited to calling DingTalk APIs and writing local JSON/Excel files (expected), but the Python exporter will auto-install openpyxl if missing, which causes network activity and package installation at runtime beyond what's documented in SKILL.md.

⚠ Install Mechanism

No install spec is declared in the registry (instruction-only), yet the bundle contains package.json/package-lock and Python scripts. SKILL.md's npm install instruction is incomplete (it asks to install axios and moment but omits dotenv which index.js requires). export_excel.py runs os.system('pip install openpyxl -q') if openpyxl is missing — an automatic runtime pip install from PyPI. These inconsistencies and the implicit network installs raise moderate risk.

⚠ Credentials

The skill needs DingTalk credentials (AppKey/AppSecret, agentId/appId) to function, but the registry metadata lists no required env vars or primary credential. That mismatch is significant: the skill will require secrets to operate but the manifest does not declare them. No other unrelated credentials are requested.

✓ Persistence & Privilege

The skill does not request elevated platform privileges or always:true. It writes output files under its own data/ directories and does not appear to modify other skills or global configuration. Autonomous invocation is enabled by default but not combined with other high-risk factors here.

如何使用

确保已安装 OpenClaw（本地或 Docker 部署）
在对话框中输入安装命令：/install keplerjai-dingtalk-attendance
安装完成后，直接呼叫该 Skill 的名称或使用 /keplerjai-dingtalk-attendance 触发
根据 Skill 的参数说明提供必要输入，即可获得结构化输出

版本历史

v1.0.0

Initial release of keplerjai-dingtalk-attendance. - Fetches employee attendance data from the DingTalk Open Platform. - Supports scheduled or manual data pulls, saving results locally or pushing to a specified channel. - Uses a `.env` file for credentials and configuration; no interactive credential requests. - Provides setup instructions, self-check guidelines, and output format options (JSON/CSV). - Includes guidance for both manual and automated (cron) execution. - Sensitive information is protected; credentials are not displayed in outputs.

元数据

Slug keplerjai-dingtalk-attendance

版本 1.0.0

许可证 MIT-0

累计安装 1

当前安装数 1

历史版本数 1

常见问题