ClawHub

EWS Skill

Security checks across malware telemetry and agentic risk

Overview

This is a coherent Exchange calendar-reading skill, but it handles sensitive calendar content and credentials that users must protect carefully.

Install only if you trust the configured Exchange endpoint and want the agent to read calendar bodies and links for requested dates. Use the keyring wrapper, avoid command-line passwords and plaintext .env files, do not print stored passwords unless absolutely necessary, and keep output or debug XML out of shared, synced, or source-controlled locations.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (15)

Lp3

Medium
Category
MCP Least Privilege
Confidence
84% confidence
Finding
The skill is explicitly user-invocable and documents shell-script execution, but no permissions are declared to signal that capability. This weakens transparency and policy enforcement because users or orchestrators may not realize the skill executes local shell commands, network calls, and file writes.

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The document claims passwords are not stored in config files, but later explicitly supports a plaintext `.env` workflow. That inconsistency can mislead operators into believing the skill's credential handling is always keyring-backed when the documented fallback materially lowers security.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The skill is described as extracting calendar events, but it also performs a second request per event to fetch the full body and then extracts embedded links. Calendar bodies often contain sensitive meeting notes, dial-in details, private URLs, and internal operational data, so this expands data access well beyond what a user would reasonably expect from the description.

Description-Behavior Mismatch

Medium
Confidence
87% confidence
Finding
The template explicitly requests the full item body via item:Body, which can expose far more content than calendar metadata alone, including sensitive meeting notes, links, personal data, or embedded secrets. In the context of a skill described as extracting calendar events, this exceeds likely data-minimization needs and increases privacy and data-exposure risk if the skill processes or returns the body unnecessarily.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The README explicitly encourages saving raw EWS XML responses for debugging, but those responses can contain sensitive calendar data such as meeting subjects, bodies, attendees, locations, and embedded links. Without a clear warning and secure-handling guidance, users may write sensitive data to disk, where it can be exposed through backups, shared directories, or accidental commits.

Missing User Warnings

High
Confidence
98% confidence
Finding
The credential-management section includes a command that prints the stored password in plaintext using macOS Keychain tooling. Documenting secret retrieval without a strong warning normalizes unsafe handling and can lead to credential exposure via terminal scrollback, screen sharing, shell history capture, or shoulder surfing.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The standalone usage guidance instructs users to place `EWS_PASS` in environment variables or a sourced `.env` file, which increases the risk of plaintext credential exposure. Environment variables and `.env` files are commonly leaked through shell history, process inspection, crash reports, accidental commits, or overly broad file permissions.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The standalone workflow instructs users to place Exchange credentials in a plaintext `.env` file, which is a common source of credential leakage via weak file permissions, backups, endpoint scanning, and accidental source-control commits. The brief note to use keyring in production does not adequately communicate the real exposure risk.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
Saving raw EWS XML responses to disk can expose highly sensitive calendar contents, including meeting bodies, attendees, locations, links, and possibly identifiers or tokens embedded in invitations. Without an explicit warning, users may write these artifacts to insecure temporary paths or shared systems.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The script explicitly supports passing the password via `-p/--password` and documents an example using a literal password. Command-line arguments are commonly exposed through shell history, process listings such as `ps`, and audit/logging mechanisms, which can leak Exchange credentials to other local users or monitoring systems.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
The script writes extracted calendar data to any user-supplied output path without warning that the output may include sensitive event details, including bodies and links. This can lead to inadvertent disclosure if the file is placed in shared directories, synced folders, or locations with broad read access.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The debug option saves raw XML responses directly to disk, and those responses can contain full calendar content, item identifiers, organizer addresses, and other sensitive metadata. Because this is raw protocol output, it may expose more than the normal JSON output and could persist sensitive information unintentionally.

Credential Access

High
Category
Privilege Escalation
Content
The skill runs `{baseDir}/ews-calendar-secure.sh` which:

1. Retrieves `EWS_PASS` from OS keyring
2. Calls the main script with all credentials in environment
3. Returns JSON output
Confidence
88% confidence
Finding
keyring

Credential Access

High
Category
Privilege Escalation
Content
2. Fill in your credentials
3. Run: `./ews-calendar.sh --date today`

**Warning:** This stores password in plaintext. Use keyring for production.
Confidence
93% confidence
Finding
keyring

Credential Access

High
Category
Privilege Escalation
Content
main() {
    check_dependencies
    
    # Get password from keyring
    EWS_PASS=$(get_password)
    
    if [[ -z "$EWS_PASS" ]]; then
Confidence
81% confidence
Finding
keyring

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal