ClawHub

office secretary

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real Microsoft 365 assistant, but it asks for broad delegated permissions that can change mail, calendar/files access, and send Teams messages without clear confirmation controls.

Install only if you are comfortable granting this skill delegated Microsoft 365 access that can modify mail, use broad calendar and file permissions, and send Teams messages. Prefer a version with narrower read-only calendar/file scopes where possible, explicit confirmations before mailbox or Teams changes, pinned dependencies, and clear token-cache cleanup instructions.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (10)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill exposes multiple powerful capabilities including environment access, file read/write, network access, and shell execution, but does not declare an explicit permissions model for users or the registry. That gap reduces transparency and can cause users or orchestrators to grant or invoke the skill without understanding its real access level, especially given that it interfaces with Microsoft 365 data and delegated auth.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The top-level description frames the skill as a secure M365 assistant for triage, calendar coordination, and governance, but the documented commands and permissions also enable Teams message posting and OneDrive file access with write-capable delegated scopes. This mismatch is dangerous because users may consent to broader actions than they reasonably expect, enabling unauthorized messaging, data modification, or file access under delegated identity.

Context-Inappropriate Capability

Medium
Confidence
86% confidence
Finding
The skill can post arbitrary Teams channel messages via `post_teams`, which is a write capability not clearly necessary for the stated functions of triage, calendar coordination, and governance. In an agent context, unnecessary outbound messaging expands the blast radius for abuse, spam, impersonation, or unintended data sharing.

Intent-Code Divergence

High
Confidence
95% confidence
Finding
The comment asserts the scopes 'perfectly match' the documented features, but the code requests broad Graph write scopes including mail, calendar, files, and Teams messaging. Over-privileged OAuth scopes are dangerous because compromise or misuse of the skill grants broad modification rights across multiple M365 data domains.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The setup instructs users to grant broad delegated permissions including Mail.ReadWrite, Calendars.ReadWrite, Files.ReadWrite, and ChatMessage.Send, but does not warn that these scopes allow modification of mailbox contents, calendar data, files, and outbound communications as the user. In this context, the omission is especially risky because the skill presents itself as security-first, which may cause users to lower their guard and approve powerful permissions without informed consent.

Unpinned Dependencies

Low
Category
Supply Chain
Content
msal
requests
python-dotenv
Confidence
95% confidence
Finding
msal

Unpinned Dependencies

Low
Category
Supply Chain
Content
msal
requests
python-dotenv
Confidence
99% confidence
Finding
requests

Unpinned Dependencies

Low
Category
Supply Chain
Content
msal
requests
python-dotenv
Confidence
93% confidence
Finding
python-dotenv

Known Vulnerable Dependency: requests — 10 advisory(ies): CVE-2014-1830 (Exposure of Sensitive Information to an Unauthorized Actor in Requests); CVE-2024-47081 (Requests vulnerable to .netrc credentials leak via malicious URLs); CVE-2024-35195 (Requests `Session` object does not verify requests after making first request wi) +7 more

High
Category
Supply Chain
Confidence
98% confidence
Finding
requests

Known Vulnerable Dependency: python-dotenv — 1 advisory(ies): CVE-2026-28684 (python-dotenv: Symlink following in set_key allows arbitrary file overwrite via )

Low
Category
Supply Chain
Confidence
80% confidence
Finding
python-dotenv

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal