MS Forms Auto

Security checks across malware telemetry and agentic risk

Overview

This skill appears to do the Microsoft Forms automation it advertises, but it requires high-trust Microsoft 365 credential and session access and can submit real records with limited safeguards.

Install only if you are comfortable letting this skill store and reuse Microsoft 365 credentials, session cookies, calendar feed URLs, and form data locally. Use a dedicated or least-privilege account if possible, verify the hard-coded form URL, run dry runs first, protect or remove config and screenshot files, and disable any cron schedule when no longer needed.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection

Findings (20)

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The script is presented as a diagnostic tool for inspecting a Microsoft login page, but it unnecessarily reads a local credentials file before performing any page analysis. Accessing credentials in a context that does not require authentication expands the script's sensitivity and creates risk of unintended credential exposure, logging, or later misuse.

Intent-Code Divergence

Medium

Confidence: 86% confidence
Finding: The header comment claims the script only inspects login page structure, but the implementation also accesses local credentials and writes a screenshot to disk. This mismatch is dangerous because it obscures the script's real behavior, reducing informed review and increasing the chance that sensitive information is processed or stored without operator awareness.

Intent-Code Divergence

Medium

Confidence: 93% confidence
Finding: The script claims credentials are 'NEVER sent anywhere else' while also stating they are used for automated form submission, which is misleading and unsafe. False security assurances can cause users to disclose highly sensitive credentials under incorrect assumptions, especially since downstream automation may use those credentials for remote authentication.

Intent-Code Divergence

Medium

Confidence: 93% confidence
Finding: The header understates the script’s behavior by saying it 'just tries to log in,' while the code also reads credentials from disk and saves screenshots of pages after authentication attempts. That mismatch is dangerous because operators may run the script without realizing it handles secrets and writes potentially sensitive page contents to local files.

Vague Triggers

Medium

Confidence: 84% confidence
Finding: The trigger phrases are broad, generic workplace terms such as "fill out MS form" and "daily productivity log," which can easily match ordinary user requests and cause unintended activation of a skill that automates login and submission actions. In this context, accidental invocation is more dangerous than usual because the skill is capable of using stored credentials, session state, and calendar-derived data to submit external forms without clear human confirmation.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The skill explicitly instructs users to create and persist `config/credentials.json` with an M365 email/password and `config/storageState.json` with reusable authenticated session data, but it does not prominently warn about the sensitivity of these artifacts or the consequences of compromise. Because the same skill also automates form submission and accesses calendar data, theft or misuse of these files could enable account abuse, session hijacking, privacy exposure, and unauthorized submissions.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The script silently reads credentials from a local file with no warning, consent prompt, or visible justification. In an agent-skill context, hidden secret access is especially risky because users may run the tool expecting harmless diagnostics while it touches sensitive material behind the scenes.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The script loads a persisted Playwright storage state and later writes it back to disk, which can preserve authenticated session cookies or tokens in a reusable file. If that file is exposed through weak filesystem permissions, source control mistakes, backups, or other local compromise, an attacker may reuse the session to access the Microsoft Forms account or related authenticated resources without re-authenticating.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The script saves full-page screenshots before and after submission, which can capture entered form data, account details, confirmation pages, and other sensitive on-screen content. Writing these images to disk without notice or protection creates a durable copy of potentially sensitive information that could be accessed by other local users, included in backups, or accidentally shared.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The script intentionally saves full-page screenshots and raw HTML during an authentication flow, including before and after sign-in. Those artifacts can capture usernames, password-entry context, MFA prompts, session details, hidden form values, and other sensitive page content, then persist them unencrypted to disk without redaction, access controls, or explicit user confirmation.

Missing User Warnings

Medium

Confidence: 86% confidence
Finding: The script automatically reads credentials from a local file and submits them into a live Microsoft 365 authentication flow, but it provides no meaningful consent prompt, no provenance checks for the target, and no safeguards against misuse in an automated agent context. In a skill environment, this is dangerous because it normalizes silent credential handling and could be repurposed to harvest or misuse valid enterprise credentials against an external service.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The script persists Playwright storage state to disk after authentication, which can include session cookies and tokens that allow account reuse without re-entering credentials or MFA. Storing this material locally without user warning, encryption, or restrictive permissions creates a reusable session artifact that could be stolen and used for account takeover.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The script reads plaintext credentials from `config/credentials.json` and persists authenticated browser session state to `config/storageState.json` without any safeguards, warnings, or permission checks. Those files can expose reusable credentials or active session tokens to other local users, source control, backups, or malware, enabling unauthorized access to the Microsoft account and associated forms.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The script reads credentials from a local JSON file and automates Microsoft login, but it provides no meaningful warning to the operator about storing raw credentials on disk or persisting authentication state. This is dangerous because plaintext credentials and saved session state are high-value secrets that can be stolen from the filesystem, reused for account compromise, or exposed through backups and misconfigured permissions.

Missing User Warnings

Medium

Confidence: 84% confidence
Finding: In live mode the script immediately clicks the submit button and performs an irreversible form submission without a final confirmation prompt or explicit pre-submit summary requiring user acknowledgment. This creates a safety and integrity risk because accidental execution, bad configuration, or manipulated form values can cause unintended submissions that cannot easily be undone.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The script automatically loads stored credentials and submits them to an external Microsoft-hosted login flow without any explicit user confirmation or safeguard around credential handling. In this context, automated credential submission increases the risk of unintended account use, credential misuse, and disclosure via logs, screenshots, or execution in the wrong environment.

Credential Access

High

Category: Privilege Escalation
Content: #!/usr/bin/env node /** * Interactive M365 credential setup. * Saves email and password to config/credentials.json (gitignored). */ const fs = require('fs');
Confidence: 95% confidence
Finding: credentials.json

Credential Access

High

Category: Privilege Escalation
Content: const readline = require('readline'); const CONFIG_DIR = path.join(__dirname, '..', 'config'); const CREDENTIALS_PATH = path.join(CONFIG_DIR, 'credentials.json'); function prompt(question, hidden = false) { return new Promise((resolve) => {
Confidence: 95% confidence
Finding: credentials.json

Credential Access

High

Category: Privilege Escalation
Content: async function main() { console.log('🔐 M365 Credential Setup\n'); console.log('This saves your Microsoft 365 email and password for automated form submission.'); console.log('Credentials are stored locally in config/credentials.json and NEVER sent anywhere else.\n'); if (fs.existsSync(CREDENTIALS_PATH)) { const overwrite = await prompt('⚠️ credentials.json already exists. Overwrite? (y/N): ');
Confidence: 97% confidence
Finding: credentials.json

Credential Access

High

Category: Privilege Escalation
Content: const ROOT_DIR = path.resolve(path.join(__dirname, '..')); const CONFIG_DIR = path.join(ROOT_DIR, 'config'); const CREDS_FILE = path.join(CONFIG_DIR, 'credentials.json'); const AUTH_STATE = path.join(CONFIG_DIR, 'storageState.json'); const ENTRIES_DIR = path.join(ROOT_DIR, 'daily-entries'); const FORM_URL = 'https://forms.cloud.microsoft/r/LsxLaEv13i';
Confidence: 96% confidence
Finding: credentials.json

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal