Back to skill

Security audit

Ms Graph Calendar

Security checks across malware telemetry and agentic risk

Overview

This read-only Microsoft Graph calendar skill matches its scheduling purpose, but it handles tenant-wide calendar and directory access in ways that need careful review before installation.

Install only if an administrator is comfortable granting this app read access to employee calendars and directory records. Restrict the Azure app to the smallest mailbox set possible, treat the stored client secret and temp access token as sensitive, avoid logging command output from get-token.js, and rotate/delete credentials when no longer needed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (12)

Lp3

Medium
Category
MCP Least Privilege
Confidence
86% confidence
Finding
The skill requires highly sensitive environment variables and also persists Azure credentials locally, yet it does not clearly declare a permission model to make that access explicit to users or the hosting platform. This creates a transparency and governance gap that can lead to over-trusting the skill and mishandling tenant-wide credentials.

Tp4

High
Category
MCP Tool Poisoning
Confidence
94% confidence
Finding
The documented purpose is calendar availability lookup, but the skill also acquires app-only OAuth tokens, stores client secrets, enumerates users, searches directory data, and may enumerate group members. That broader behavior materially expands the data-access surface beyond what a user may reasonably infer, enabling organization-wide directory and calendar reconnaissance if misused.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
This helper reads long-lived Azure application credentials from a local config file or environment, then mints an app-only Microsoft Graph token and exposes it for reuse. In the context of a calendar-availability skill, generating a broadly reusable bearer token is more capability than the skill itself needs and creates a credential-handling pathway that can be abused outside the intended workflow.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
This script enumerates users and groups from Microsoft Graph and prints names/emails in both console and JSON, which goes beyond the narrowly stated purpose of checking calendar availability. In a scheduling skill, some identity lookup is expected, but broad directory listing and group-based expansion materially increases exposure of employee directory data and enables bulk discovery of internal identities.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The group lookup path resolves a group by name and then enumerates all members' names and email addresses, which is not clearly necessary for simply finding free/busy times. If exposed through an agent workflow, this can be used to map team membership and harvest contact data for internal reconnaissance or privacy-invasive profiling.

Vague Triggers

Medium
Confidence
79% confidence
Finding
The invocation description is broad enough to trigger on ordinary scheduling language without making clear that the skill may query coworkers' calendars and directory records using application permissions. Over-broad activation increases the chance of unintended use and silent access to sensitive organizational metadata.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The description does not prominently warn that the skill may access other employees' free/busy information and directory data across the tenant. Users may therefore invoke it without understanding the privacy implications or the breadth of access granted to the Azure application.

Missing User Warnings

High
Confidence
99% confidence
Finding
The script writes the bearer token to a predictable temporary file and also prints it directly to stdout, exposing it to shell history capture, logs, process supervision systems, terminal recording, and other local users or malware on the host. Because this is an app-only Graph token, anyone who obtains it can use the associated Graph permissions until expiration.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The script sends directory queries to Microsoft Graph and emits personal data to stdout as human-readable text and machine-readable JSON without warning, masking, or output controls. In agent environments, stdout is often captured in logs or passed to downstream tools, so this behavior can unintentionally disclose employee PII beyond the immediate scheduling task.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The script persists Azure tenant, client ID, and especially the client secret to a plaintext JSON file under the user's home directory. Although it attempts to set restrictive file permissions, storing long-lived credentials on disk increases exposure to local compromise, backups, accidental disclosure, or insecure file handling by other tools; in this calendar skill context, those credentials could grant access to Microsoft Graph data and organizational calendar information.

Unrestricted Tool Access

Medium
Category
Excessive Agency
Content
```
ถ้าได้ "✅ Token acquired" แปลว่าพร้อมใช้งานแล้ว

**App Registration ต้องมี Application Permissions:**
- `Calendars.Read` — read all users' calendars
- `User.Read.All` — list employees
- Admin ต้อง Grant consent ก่อน
Confidence
88% confidence
Finding
Permissions:*

Excessive Permissions

Low
Category
Privilege Escalation
Content
```
ถ้าได้ "✅ Token acquired" แปลว่าพร้อมใช้งานแล้ว

**App Registration ต้องมี Application Permissions:**
- `Calendars.Read` — read all users' calendars
- `User.Read.All` — list employees
- Admin ต้อง Grant consent ก่อน
Confidence
83% confidence
Finding
Permissions:*

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.