ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

MS Forms Auto

v1.0.0

Automate Microsoft Forms daily submissions with M365 MFA support and dual-calendar integration to auto-fill training, content dev, and learning hours.

0· 69·0 current·0 all-time
by@claireaicodes
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (MS Forms automation, dual calendars, M365 MFA) align with the included scripts: calendar fetching, Playwright-based login & submission, MFA handling, and credential setup. No unrelated services or env vars are requested.
Instruction Scope
SKILL.md instructs the user to save M365 email/password to config/credentials.json and to provide calendar URLs (config/calendars.json) that can contain auth tokens. Scripts also save storageState.json and produce screenshots/HTML (login-debug, login-debug screenshots). All of these actions are coherent with automating login/submission but mean sensitive data (passwords, session cookies, calendar tokens, HTML snapshots) are stored locally. The scripts do not appear to read unrelated system files or call external endpoints outside calendar URLs and Microsoft domains.
Install Mechanism
No special install spec in registry, but package.json requires playwright (pulled from npm) and the README expects 'npm install' and 'npx playwright install chromium' which downloads browser binaries. This is a standard but non-trivial install (Playwright downloads large browser artifacts). The sources are public npm/Playwright (not arbitrary URLs).
Credentials
No environment variables are requested. The skill requires storing M365 credentials (email/password) and calendar URLs/tokens in local config files. These are proportionate to the described functionality, but they are sensitive and merit careful handling (file permissions, gitignore, consider using a dedicated service account or limited account).
Persistence & Privilege
The skill does persist data (storageState.json, credentials.json, calendars.json, screenshots) but does not request always:true or system-wide privileges. Persisting auth state and credentials is expected for this automation, but it increases the blast radius if the filesystem containing these files is exposed.
Assessment
This skill appears to do what it says, but it requires highly sensitive data and local persistence. Before installing: 1) Prefer a dedicated/limited M365 account (not your primary interactive account) if possible. 2) Keep config/credentials.json and config/calendars.json protected (file mode 600, ensure they are in .gitignore and not backed up to untrusted services). 3) Be aware the skill saves browser storageState (cookies/tokens) and HTML/screenshots which can contain personal information—clean or remove them if you stop using the skill. 4) Review calendar URLs you paste into config (they may contain embedded tokens); treat them like secrets. 5) Run first tests manually in a controlled environment (headed mode) to confirm behavior; review screenshots/HTML outputs. 6) If you cannot accept storing your M365 password locally, do not install; consider using a service account, token-based integration, or an IT-approved automation solution instead.
!
scripts/calendar-fetch.js:26
File read combined with network send (possible exfiltration).
About static analysis
These patterns were detected by automated regex scanning. They may be normal for skills that integrate with external APIs. Check the VirusTotal and OpenClaw results above for context-aware analysis.

Like a lobster shell, security has layers — review code before you run it.

automationvk973n537qmypygyqdteqey03td83bxcecalendarvk973n537qmypygyqdteqey03td83bxcedaily-logvk973n537qmypygyqdteqey03td83bxcelatestvk973n537qmypygyqdteqey03td83bxcemfavk973n537qmypygyqdteqey03td83bxcemicrosoft-formsvk973n537qmypygyqdteqey03td83bxceopenclawvk973n537qmypygyqdteqey03td83bxceplaywrightvk973n537qmypygyqdteqey03td83bxceproductivityvk973n537qmypygyqdteqey03td83bxce

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments