Skillv1.9.0

VirusTotal security

Outlook Plus · External malware reputation and Code Insight signals for this exact artifact hash.

ReviewMay 1, 2026, 4:26 AM

Hash: f9c5a81f7ac4ad50ec91b8b90eec25bf955ba2de8b8cacf29e987b8b8aad4f61
Source: palm
Verdict: suspicious
Code Insight: Type: OpenClaw Skill Name: outlook-plus Version: 1.9.0 The skill is classified as suspicious due to its inherently high-risk capabilities, including the automatic creation of an Azure AD application with broad permissions (Mail.ReadWrite, Mail.Send, Calendars.ReadWrite) as detailed in `SKILL.md` and implemented in `scripts/outlook-setup.sh`. It also stores sensitive OAuth tokens and client secrets locally in `~/.outlook-mcp/` and provides commands to download email attachments to the local filesystem via `scripts/outlook-mail.sh`. While the scripts demonstrate robust input sanitization (e.g., using `jq --arg` for JSON payloads, URL encoding, and filename sanitization in `scripts/outlook-mail.sh`) and transparency regarding permissions, the extensive access and control over a user's email and calendar, coupled with the ability to create Azure resources, represent significant potential for misuse if the agent were compromised or given malicious instructions.
External report: View on VirusTotal