v2.0.0

SharePoint by altf1be

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 6:00 AM.

Analysis

This skill appears to be a coherent SharePoint integration, but it grants real SharePoint read/write authority and should be installed only with tightly scoped Microsoft Graph permissions.

GuidanceThis appears suitable if you intentionally want OpenClaw to work with a specific SharePoint site. Before installing, create a dedicated Entra app, keep `Sites.Selected`, prefer read-only access unless writes are needed, protect the certificate, and require human review for upload, delete, checkout, checkin, or publishing actions.

Findings (4)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation

SeverityMediumConfidenceHighStatusNote

SKILL.md

node {baseDir}/scripts/sharepoint.mjs upload --local ./report.docx --remote "Reports/Q1-2026.docx"
...
node {baseDir}/scripts/sharepoint.mjs delete --path "Drafts/old-file.txt" --confirm
...
node {baseDir}/scripts/sharepoint.mjs checkin --path "Report.docx" --comment "Reviewed and approved"

The skill exposes commands that upload, delete, lock/unlock, and publish SharePoint documents. These are purpose-aligned file operations, and delete is documented as requiring confirmation, but they can still change important shared content.

User impactAn agent using this skill could alter or delete shared SharePoint documents if given broad instructions or if a user approves the wrong action.

RecommendationRequire explicit human confirmation for upload, delete, checkout, checkin, and edit operations; rely on SharePoint versioning/backups; and avoid granting write access for read-only use cases.

Agentic Supply Chain Vulnerabilities

SeverityLowConfidenceMediumStatusNote

package.json

"version": "1.2.0"

The package version shown in package.json differs from the registry metadata version 2.0.0 and the package-lock root version shown as 0.1.0. This does not show malicious behavior, but it is a provenance/release hygiene issue worth checking.

User impactUsers may have a harder time confirming that the reviewed package contents exactly match the intended published release.

RecommendationVerify the GitHub release or commit for the installed version and ensure package.json, package-lock, and registry metadata are aligned in future releases.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse

SeverityMediumConfidenceHighStatusNote

SKILL.md

Create an Entra app with `Sites.Selected` permission and certificate auth
2. Grant site-level write access via Microsoft Graph PowerShell

The skill requires Microsoft Graph application credentials and may be granted write access to a SharePoint site. This is expected for the integration but is a meaningful delegated privilege.

User impactIf the certificate or app registration is misconfigured or misused, the skill can access or modify files in the configured SharePoint site.

RecommendationUse a dedicated Entra app, keep `Sites.Selected`, grant read-only access unless writing is truly needed, and protect the certificate and optional certificate password carefully.

Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Memory and Context Poisoning

SeverityLowConfidenceMediumStatusNote

SKILL.md

The `read` command extracts text content from:
- `.docx` → full text extraction via mammoth
...
Output is plain text suitable for AI processing

The skill intentionally turns SharePoint and Office document contents into text for an AI agent to process. This is core functionality, but document contents may be confidential or may contain instructions that should not be treated as trusted agent commands.

User impactSensitive SharePoint document text may enter the agent's context, and malicious or accidental instructions inside documents could influence the agent if not handled carefully.

RecommendationUse this only on documents the agent is allowed to process, and treat extracted document text as untrusted content for summarization or analysis rather than as instructions.