Agent Teams

Security checks across malware telemetry and agentic risk

Overview

This Teams automation skill is coherent, but it needs Review because it uses the signed-in Teams desktop session token and can read or act in Teams as the user.

Install only if you are comfortable letting this tool use your signed-in Teams desktop session. Use it on a trusted machine, verify the agent-messenger package source, require explicit approval before sending, deleting, uploading, broadcasting, monitoring, or snapshotting, and periodically clear stored credentials and MEMORY.md when no longer needed.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Rogue AgentSelf-Modification, Session Persistence
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (18)

Tp4

High

Category: MCP Tool Poisoning
Confidence: 89% confidence
Finding: The manifest describes a narrow Teams interaction skill, but the documented behavior includes broader capabilities such as token extraction, snapshotting recent messages and member data, and local persistence of workspace metadata. This mismatch is dangerous because agents, reviewers, or policy systems may grant or invoke the skill under an incomplete understanding of its data access and authentication behavior.

Description-Behavior Mismatch

Medium

Confidence: 95% confidence
Finding: The manifest does not disclose that the skill extracts authentication tokens from the Teams desktop app and refreshes them automatically. Hidden credential-access behavior is security-sensitive because it expands the trust boundary from normal API use to local session harvesting, which can surprise users and policy engines.

Description-Behavior Mismatch

Medium

Confidence: 95% confidence
Finding: The manifest does not disclose that the skill extracts authentication tokens from the Teams desktop app and refreshes them automatically. Hidden credential-access behavior is security-sensitive because it expands the trust boundary from normal API use to local session harvesting, which can surprise users and policy engines.

Intent-Code Divergence

Low

Confidence: 82% confidence
Finding: The document says the CLI does not manage the memory file, but the skill instructions direct the agent to persist team, channel, user, and preference data across sessions. This inconsistency can mislead users about what data is retained and create unanticipated long-lived storage of organizational metadata.

Description-Behavior Mismatch

Medium

Confidence: 84% confidence
Finding: The documentation states the tool can upload and download files, which exceeds the declared skill scope of sending messages, reading channels, and managing reactions. This scope mismatch is dangerous because it hides materially broader access to Teams data and may cause users or downstream systems to grant trust and permissions under false assumptions.

Context-Inappropriate Capability

High

Confidence: 99% confidence
Finding: The authentication model relies on extracting a live user session token from the Teams desktop application's local cookie store. This is credential harvesting behavior: it bypasses normal delegated OAuth flows, grants the tool the user's full session context, and creates a high risk of account misuse, token theft, and policy or terms-of-service violations.

Context-Inappropriate Capability

High

Confidence: 99% confidence
Finding: The guide explicitly instructs reading the Teams Cookies SQLite database to extract the skypetoken_asm session token. Directly harvesting a session cookie from another application's storage is highly sensitive because any compromise of the extracted token enables impersonation of the user for the lifetime of the session.

Context-Inappropriate Capability

Medium

Confidence: 94% confidence
Finding: The troubleshooting steps tell users to grant broad filesystem access so the tool can read Teams application data. Requesting elevated disk access to reach another application's credential store materially increases the blast radius of the tool and normalizes unsafe permission expansion for credential access.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: Automatic credential extraction and silent background authentication occur without an explicit privacy or access warning. That is dangerous because it normalizes access to locally stored Teams session material without ensuring the user understands that their desktop app credentials are being harvested and reused.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The memory instructions encourage persistent storage of team IDs, channel IDs, user IDs, names, aliases, and preferences without a clear privacy notice or retention policy. Even if message contents are excluded, this still accumulates sensitive organizational relationship data that can be reused or exposed across sessions.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The skill documents destructive and data-transmitting operations like deleting messages and uploading files without highlighting their consequences. This increases the chance of accidental harmful actions by an agent or user who assumes all commands are low-risk read/send operations.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The monitoring example continuously reads channel messages and prints author/content to stdout without any privacy notice, minimization guidance, or safeguards for sensitive conversations. In an agent skill for Teams, this normalizes collection and secondary disclosure of chat content into logs, terminals, or downstream systems that may have broader access than the original channel.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The snapshot example enumerates members, channels, and recent messages, then prints them directly, which can expose directory information and conversation content to logs or operators who would not otherwise browse that data together. Because this skill is specifically designed to interact with Teams, bulk snapshotting materially increases the risk of unnecessary data aggregation and disclosure.

Missing User Warnings

Medium

Confidence: 87% confidence
Finding: The file upload pattern demonstrates transmitting a local file to Teams but does not warn that local artifacts may contain confidential, proprietary, or regulated data. In documentation for an automation skill, omission of that warning can lead users to upload sensitive files without validation, approval, or destination checks.

Missing User Warnings

Low

Confidence: 79% confidence
Finding: The user lookup example queries and exposes team member directory data, then uses it to construct a mention, without noting privacy or authorization considerations. While lower impact than message-content exposure, it still encourages unnecessary directory enumeration and handling of personally identifiable information such as display names and IDs.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The script echoes the full message body to stdout immediately before sending it to Teams. In automation contexts, stdout is commonly captured by CI logs, shell history wrappers, orchestration systems, or support bundles, so any secrets, personal data, or incident details included in the message can be exposed beyond the intended Teams recipients.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The script writes the full Teams snapshot to disk by default, and that snapshot includes potentially sensitive metadata and content such as team identifiers, member details, and recent messages. Persisting this data locally increases exposure through accidental sharing, weak filesystem permissions, backups, or later compromise of the host.

Session Persistence

Medium

Category: Rogue Agent
Content: ## Memory The agent maintains a `~/.config/agent-messenger/MEMORY.md` file as persistent memory across sessions. This is agent-managed — the CLI does not read or write this file. Use the `Read` and `Write` tools to manage your memory file. ### Reading Memory
Confidence: 90% confidence
Finding: write this file. Use the `Read` and `Write` tools to manage your memory file. ### Reading Memory At the **start of every task**, read `~/.config/agent-messenger/MEMORY.md` using the `Read` tool to l

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal