Back to skill
Skillv1.10.5
ClawScan security
Agent Teams · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
SuspiciousMar 6, 2026, 3:40 PM
- Verdict
- suspicious
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill's stated purpose (control Microsoft Teams) matches most of its behavior, but it instructs the agent to extract live authentication tokens from the Teams desktop app and to read/write local config files without declaring those filesystem accesses explicitly — this is sensitive and the package install + plaintext credential storage deserve caution.
- Guidance
- This skill appears to do what it says (manage Microsoft Teams), but it performs sensitive local operations: the CLI will scan your Teams desktop app data directories and extract the skypetoken_asm cookie to authenticate, and it will store that token (plaintext) under ~/.config/agent-messenger/. Before installing, consider: 1) review the agent-messenger package source code (or vendor) to confirm how token extraction and storage are implemented; 2) be aware you may need to grant your terminal/full-disk access to read Teams data (macOS) which increases exposure; 3) storing tokens in plaintext means anyone with access to your user account could reuse them (though tokens expire in ~60–90 minutes); 4) if you have strict security/compliance needs, run this tool in an isolated environment or decline installation; 5) ask the publisher to update registry metadata to declare required config paths (Teams app data locations) so the access is explicit. If you want, I can list precise questions to ask the maintainer or suggest safer alternatives (official Microsoft Graph API integrations) that use managed API credentials instead of local cookie extraction.
Review Dimensions
- Purpose & Capability
- noteThe name/description (interact with Teams) align with the code and scripts: they call a CLI (agent-teams) that lists teams/channels, sends messages, monitors channels, etc. However, the SKILL.md and reference docs describe reading the Teams desktop app cookie DB (skypetoken_asm) and storing tokens locally — a legitimate but invasive technique that was not declared in the registry metadata (no required config paths).
- Instruction Scope
- concernRuntime instructions explicitly direct the agent/tool to locate and read Teams desktop app data directories and the Cookies SQLite DB on macOS/Linux/Windows, extract skypetoken_asm, and store tokens in ~/.config/agent-messenger/teams-credentials.json. The SKILL.md also instructs the agent to always read and sometimes overwrite a persistent memory file (~/.config/agent-messenger/MEMORY.md) at the start of every task. Those filesystem reads/writes go beyond the declared requirements and involve sensitive local tokens.
- Install Mechanism
- noteInstall spec is a Node package (agent-messenger) that creates the agent-teams binary. Installing an npm/Node package is a common approach; it is a moderate-risk install because it writes and runs third-party code on the host. No remote ad-hoc downloads or obscure URLs were present in the manifest.
- Credentials
- concernNo environment variables are requested, which is consistent, but the skill requires access to local Teams app data (Cookies DB) and will store tokens in plaintext at ~/.config/agent-messenger/teams-credentials.json (permissions 0600 recommended). That access to local credentials is sensitive and should be justified/explicitly declared in metadata; storing tokens in plaintext increases risk if the file or machine is compromised.
- Persistence & Privilege
- noteThe skill uses a per-user persistent memory file (~/.config/agent-messenger/MEMORY.md) for agent state; it does not declare an always:true privilege and does not modify other skills. Persisting IDs/aliases across sessions is reasonable for a messaging integration, but the instructions require the agent to read this file at the start of every task which gives the skill persistent context across agent runs.