ClawHub

Outlook Plus

Security checks across malware telemetry and agentic risk

Overview

This Outlook skill does what it advertises, but it needs Review because it grants persistent read/write/send access to mail and calendars while storing powerful credentials locally and offering destructive actions with limited safety gates.

Install only if you are comfortable granting this skill persistent read/write/send access to Outlook mail and read/write access to calendars. Treat ~/.outlook-mcp as highly sensitive, avoid printing tokens, use only simple account names, verify exact targets before sending or deleting anything, and avoid downloading attachments to sensitive paths.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Rogue AgentSelf-Modification, Session Persistence
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Findings (15)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill declares shell-capable behavior but does not expose explicit permissions or guardrails for local command execution. In an agent environment, this weakens user awareness and policy enforcement, especially because the skill can run setup and token-management scripts that handle sensitive OAuth credentials.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The published description frames the skill as simple email/calendar access, but the documented behavior includes Azure app registration, local credential storage, token printing, and other higher-risk administrative actions. This mismatch can cause over-broad invocation and user consent to powerful operations they did not reasonably expect.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The download command can write attachment contents to an arbitrary user-supplied output path on the local filesystem. While downloading attachments is related to an Outlook skill, unrestricted local file write capability expands the trust boundary and could overwrite files in unexpected locations if the caller is tricked into choosing a sensitive path.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The script requests high-privilege Microsoft Graph scopes including Mail.ReadWrite, Mail.Send, Calendars.ReadWrite, and offline_access, which enables persistent read/modify/send access to a user's mailbox and calendar. While these permissions may support a 'manage' workflow, they exceed a minimal-privilege baseline and materially increase blast radius if the stored credentials or tokens are compromised.

Description-Behavior Mismatch

Low
Confidence
95% confidence
Finding
The script adds User.Read even though the described skill functionality focuses on email and calendar actions. Extra identity scope widens available data access and is unnecessary unless explicitly used for profile discovery or account validation.

Vague Triggers

Medium
Confidence
86% confidence
Finding
The invocation text is broad enough to match many ordinary references to email or scheduling, increasing the chance the skill is auto-selected in contexts where the user did not intend mailbox or calendar modification. Because the skill supports sending, deleting, and credential-related actions, accidental invocation has meaningful security consequences.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The guide instructs users to store a long-lived OAuth client secret and token response on disk in plaintext JSON files under the home directory. Although it applies restrictive file permissions, it does not clearly warn that these files contain highly sensitive credentials or recommend safer storage such as a system keychain or secret manager, increasing the chance of accidental exposure via backups, sync tools, shell history, malware, or local compromise.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The delete command issues a permanent DELETE request to Microsoft Graph immediately after resolving an event ID, with no confirmation prompt, dry-run mode, or explicit safety gate. In an agent skill context, this increases the chance of accidental destructive actions from ambiguous user input, truncated IDs, or automation mistakes, causing unintended calendar data loss.

Missing User Warnings

Medium
Confidence
82% confidence
Finding
The script writes decoded attachment bytes directly to disk without any warning, confirmation, or explicit indication that local files will be modified. In an agent context, silent filesystem side effects are security-relevant because users may expect mail access, not local file creation.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The script writes the OAuth client secret and token response, including access and likely refresh tokens, to disk under the user's home directory with no explicit warning about persistence or lifecycle. Even with chmod 600, local compromise, backups, multi-process access, or accidental exfiltration can expose credentials that grant ongoing mailbox and calendar access.

Credential Access

High
Category
Privilege Escalation
Content
~/.outlook-mcp/
  default/
    config.json
    credentials.json
  work/
    config.json  
    credentials.json
Confidence
93% confidence
Finding
credentials.json

Credential Access

High
Category
Privilege Escalation
Content
## Files

- `~/.outlook-mcp/config.json` - Client ID and secret
- `~/.outlook-mcp/credentials.json` - OAuth tokens (access + refresh)

## Permissions
Confidence
94% confidence
Finding
credentials.json

Credential Access

High
Category
Privilege Escalation
Content
version: 1.9.0
author: cristiandan
homepage: https://github.com/cristiandan/outlook-skill
metadata: {"clawdbot":{"requires":{"bins":["az","jq"]},"credentials":{"note":"Setup creates Azure App Registration and stores client_id/client_secret/OAuth tokens in ~/.outlook-mcp. The token script can print access tokens. Treat these as sensitive."}}}
---

# Outlook Skill
Confidence
90% confidence
Finding
access tokens

Credential Access

High
Category
Privilege Escalation
Content
- **Azure App Registration**: The automated setup creates an App Registration in your Azure tenant with the following permissions: `Mail.ReadWrite`, `Mail.Send`, `Calendars.ReadWrite`, `offline_access`, `User.Read`
- **Local credential storage**: Client ID, client secret, and OAuth tokens are stored in `~/.outlook-mcp/` with `chmod 600`
- **Token printing**: `outlook-token.sh get --confirm` prints access tokens (requires explicit confirmation flag)
- **Prerequisites**: Requires [Azure CLI](https://docs.microsoft.com/en-us/cli/azure/install-azure-cli) (`az`) and `jq`

If you prefer not to use automated setup, follow the manual configuration in `references/setup.md`.
Confidence
95% confidence
Finding
access tokens

Session Persistence

Medium
Category
Rogue Agent
Content
The setup script will:
1. Log you into Azure (device code flow)
2. Create an App Registration automatically
3. Configure API permissions (Mail.ReadWrite, Mail.Send, Calendars.ReadWrite)
4. Guide you through authorization
5. Save credentials to `~/.outlook-mcp/`
Confidence
88% confidence
Finding
Create an App Registration automatically 3. Configure API permissions (Mail.ReadWrite, Mail.Send, Calendars.ReadWrite) 4. Guide you through authorization 5. Save credentials to `~/.outlook-mcp/` ## M

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal