ClawHub

Microsoft 365 Graph Openclaw

Security checks across malware telemetry and agentic risk

Overview

The skill appears purpose-built for Microsoft 365 automation, but it asks for broad account access and has secret-handling and high-impact action guardrail gaps that warrant review before use.

Install only if you are comfortable granting this skill read/write access to mail, files, calendar, and contacts. Prefer your own Microsoft app registration, reduce scopes where possible, protect the state and /etc secret files, avoid anonymous sharing unless intentionally needed, and review dry-run output before running the sudo setup scripts. VirusTotal was pending and was not used as a negative signal.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (12)

Lp3

Medium
Category
MCP Least Privilege
Confidence
89% confidence
Finding
The skill advertises and documents capabilities that include environment access, file read/write, network access, and shell execution, but it does not declare an explicit permissions model. This creates a real security gap because operators and automated loaders cannot reliably enforce least privilege or understand that the skill can perform sensitive actions such as OAuth token handling, webhook setup, privileged shell scripts, and system configuration changes.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The diagnostic script reads secrets and sensitive runtime state from /etc/default/graph-mail-webhook and service-related files, then echoes some of that data to stdout. In a support or agent-executed context, this can expose bearer tokens, session identifiers, and operational metadata to logs, transcripts, or less-privileged operators beyond what is necessary for basic diagnostics.

Context-Inappropriate Capability

Medium
Confidence
83% confidence
Finding
The script performs host-level introspection using systemctl, ss, and later privileged journal access to inspect service state and listeners. While useful for debugging, this exceeds a narrow integration role and can disclose system topology and service health to an agent or user who should not necessarily have that visibility.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The script is presented as a mail listing/fetching utility, but it also exposes state-changing operations that can mark messages as read and move them to another folder. In an agent setting, this mismatch increases the chance that a caller invokes the tool assuming it is read-only, causing unintended mailbox modification, evidence hiding, or workflow disruption.

Intent-Code Divergence

Medium
Confidence
92% confidence
Finding
The module docstring and CLI description say the tool only lists or fetches Outlook email, while the implementation can also modify message state. In a skill ecosystem, inaccurate capability descriptions are dangerous because planners, agents, or users may treat the tool as safe for read-only access when it can alter mailbox contents and conceal unread messages.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The documentation exposes a destructive delete operation for contacts without any warning, confirmation prompt guidance, or recovery/undo considerations. In an agent skill that can act on a live Microsoft 365 account with Contacts.ReadWrite, this increases the chance of accidental or automated deletion of user data, especially when IDs are gathered from a prior list command and then used programmatically.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The share-link example demonstrates creating an organization-wide view link without any warning about access expansion, link lifetime, or sensitivity review. In a Microsoft 365 / OneDrive skill, this can normalize broad internal sharing and lead users to expose confidential files to all employees who can access the tenant.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
OPENCLAW_SESSION_KEY is printed in cleartext during diagnostics, unlike other secrets that are masked. If terminal output is logged, shared in tickets, or captured by an agent platform, the session key could be reused to impersonate or interfere with OpenClaw sessions.

Missing User Warnings

Medium
Confidence
85% confidence
Finding
The share command can create OneDrive links with scope='anonymous', which may expose files outside the organization, yet the tool provides no warning, confirmation, or policy guardrail before doing so. In an agent skill context, this increases the chance of accidental data exfiltration because automated workflows or LLM-driven actions may invoke sharing without adequately appreciating the sensitivity of the target file.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
In agent mode, the worker packages email metadata and content fields such as subject, sender, bodyPreview, webLink, and identifiers into a JSON payload and sends them to a configurable webhook. This is a real data-exposure risk because the transmission site does not enforce destination trust boundaries, restrict allowed endpoints, or minimize sensitive fields, so misconfiguration or abuse can leak mailbox data to an external service.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The script prints the Graph webhook client state to stdout in its final summary. Client state is a shared secret used to validate Microsoft Graph webhook notifications; exposing it in terminal logs, CI output, shell history captures, or centralized logging weakens notification authenticity checks and can enable spoofed webhook requests by anyone who obtains the value.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The code persists the full OAuth token payload, including refresh tokens, to a predictable JSON file under a workspace state directory with no permission hardening, encryption, or user warning. In this Microsoft Graph skill, a stolen refresh token can grant long-lived access to mail, calendar, files, and contacts, making local token-at-rest exposure a real security issue rather than a documentation-only concern.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal