ClawHub

Office 365 + Adobe User Provisioning

Security checks across malware telemetry and agentic risk

Overview

This is a legitimate admin provisioning tool, but it needs review because it handles enterprise accounts and passwords with weak safeguards.

Install only after reviewing the code and running it in a tightly controlled admin environment. Do not use bundled or shared production secrets, rotate any credentials that may have been distributed with this skill, disable or protect the HTTP API unless it is behind authentication and a trusted network boundary, avoid sending passwords through email or chat, and require explicit human confirmation before reset, delete, or selftest actions.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (19)

Lp3

Medium
Category
MCP Least Privilege
Confidence
89% confidence
Finding
The skill documentation describes code capabilities including environment access, file read/write, and network operations, but does not declare permissions. In a provisioning tool that handles live credentials and external account changes, undeclared capabilities reduce transparency and make it easier to over-trust a highly privileged skill.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The declared description presents the skill as a user provisioning tool, but the documented behavior includes SMTP delivery of passwords, deletion/reset notifications, alias management, and additional mail-sending capability. This mismatch obscures the true security-sensitive behavior and can cause operators to invoke a much more privileged tool than they expect.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The documentation explicitly says the skill ships with real production credentials in a local .env file. Bundling live secrets with distributable tooling creates an immediate secret-exposure risk, enabling unauthorized account provisioning, password resets, mail sending, and downstream compromise if the directory is copied, archived, or leaked.

Intent-Code Divergence

Medium
Confidence
92% confidence
Finding
The documentation says initial passwords should not appear in logs, but elsewhere states the create command returns the password. That inconsistency encourages accidental disclosure through console output, shell history, CI logs, screenshots, or chat transcripts, undermining password confidentiality.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The client exposes a generic outbound email capability even though the skill’s declared purpose is Microsoft 365/Adobe user provisioning and management. This expands the action surface beyond the expected scope, enabling unauthorized notifications, phishing, or data exfiltration if the skill or its callers are misused, especially because it can send arbitrary subject/body content from a specified mailbox.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The send_mail method is not justified by the stated account-provisioning scope and accepts arbitrary recipients and body content. In a high-privilege Graph integration, that mismatch is dangerous because it gives a provisioning tool a communication primitive that could be abused for spam, social engineering, or sending sensitive operational details outside intended channels.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The activation trigger list includes very generic phrases such as '新建用户', '重置密码', '删除用户', and 'create user', which can match routine requests without enough provider, approval, or scope context. In an agent skill that performs account creation, password reset, deletion, and license assignment, overbroad auto-activation raises the chance that the wrong skill is invoked and destructive identity actions are taken under ambiguous user intent.

Missing User Warnings

Medium
Confidence
81% confidence
Finding
The README advertises destructive operations like reset, delete, and selftest without prominently warning about their irreversible or service-impacting consequences. Because this skill manages real Microsoft 365 and Adobe identities, weak operator warninging increases the likelihood of accidental account deletion, unintended password resets, or disruptive test activity against production tenants.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The skill declares very broad activation triggers for high-impact account-management actions such as creating users, assigning licenses, resetting passwords, and deleting users. In an agent environment, overly generic trigger phrases increase the chance of accidental invocation on ordinary admin/helpdesk conversations, which can lead to unintended execution of privileged operations.

Natural-Language Policy Violations

Low
Confidence
84% confidence
Finding
The README says the skill should activate for requests in any language, but provides no opt-in, locale scoping, or disambiguation safeguards. That broadens the activation surface across multilingual conversations and raises the likelihood of false activation for a privileged provisioning skill, especially when combined with generic phrases like 'create user' or 'reset password'.

Missing User Warnings

High
Confidence
98% confidence
Finding
The README instructs operators to use bundled real production credentials, normalizing unsafe secret handling without adequate safeguards. Because this is an account-provisioning skill with administrative reach into Microsoft 365 and Adobe, any credential leakage can directly lead to unauthorized account creation, resets, license assignment, and further enterprise compromise.

Missing User Warnings

High
Confidence
96% confidence
Finding
The user-facing guidance tells operators to deliver initial passwords as part of the summary without requiring a secure transmission method. In practice, summaries are often sent through chat, tickets, or email, creating a straightforward plaintext credential disclosure path.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The client logs request payloads and response bodies for user-management operations, which can include email addresses, names, account metadata, group assignments, and error details. In an account-provisioning skill, these logs may expose sensitive identity data to log aggregators, operators, or other systems not intended to receive full provisioning records.

Missing User Warnings

High
Confidence
95% confidence
Finding
The self-test performs live account creation, license assignment/removal, and deletion against the real Adobe tenant using production APIs. A diagnostic routine that mutates external state can be triggered accidentally or abused to create, modify, or remove accounts and entitlements, especially dangerous in a provisioning skill where operators expect admin-level access.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The self_test method performs real administrative actions against Microsoft 365: it creates an account, resets a password, enumerates users, and deletes the account, with no explicit safety gate, dry-run mode, approval step, or operator confirmation in this code path. In a provisioning skill, these are highly privileged actions; accidental or unauthorized invocation can create audit noise, consume licenses, expose user inventory metadata, and modify tenant state.

Missing User Warnings

High
Confidence
99% confidence
Finding
The creation notification email includes the user's initial password in cleartext and sends it over email, which is commonly accessible by intermediaries, retained in mailboxes, and vulnerable to forwarding or compromise. In an account-provisioning skill for Microsoft 365, this directly exposes credentials for a high-value enterprise identity system and increases risk of account takeover.

Missing User Warnings

High
Confidence
99% confidence
Finding
The password reset notification sends the new password in cleartext email, creating an immediate credential disclosure path for a freshly reset enterprise account. Because password resets often occur during recovery or administrative intervention, exposing the new password by email can let mailbox compromise turn directly into account compromise.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The CLI exposes a destructive `delete` action that immediately forwards the identifier to `user_service.delete_user` without any confirmation, dry-run, or safety interlock at the entry point. In a high-privilege account-provisioning tool for Microsoft 365 and Adobe, a mistyped identifier, automation error, or social-engineered command can cause unintended account deletion and service disruption.

Ssd 3

High
Confidence
98% confidence
Finding
The documentation explicitly instructs inclusion of initial passwords in delivery summaries, which is a direct sensitive-data disclosure pattern. Given this skill's context—enterprise account provisioning with real tenant access—the guidance materially increases the likelihood of credential leakage through routine operational communications.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal