ClawHub

D365 F&O Developer

PassAudited by ClawScan on May 6, 2026.

Overview

This is an instruction-only D365 Finance & Operations developer guide with purpose-aligned examples, though users should be careful when applying its API and deployment examples to real ERP environments.

This skill appears safe to install as a documentation-only D365 F&O helper. Before using its API, DMF, security, or deployment examples, confirm you are working in the intended tenant and environment, use least-privilege credentials, and avoid applying update/delete/import operations to production without review.

Findings (2)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

NoteHigh Confidence
ASI02: Tool Misuse and Exploitation
What this means

If a user copies these examples into a production tenant without review, customer or other ERP data could be changed or deleted.

Why it was flagged

The integration reference includes examples for creating, updating, and deleting D365 records. This is expected for a D365 developer skill, but these operations can mutate or delete business data if used against a real environment.

Skill content
POST /data/Customers ... PATCH /data/Customers(AccountNumber='DE-001') ... DELETE /data/Customers(AccountNumber='DE-001')
Recommendation

Use these examples in development or test environments first, verify the target environment and record identifiers, and require explicit approval before applying destructive or bulk operations.

NoteHigh Confidence
ASI03: Identity and Privilege Abuse
What this means

An over-privileged or mishandled token could allow unintended access to sensitive business data or account actions.

Why it was flagged

The skill documents use of OAuth bearer tokens for D365 API access. This is appropriate for D365 integrations, but such tokens represent delegated access to ERP data and operations.

Skill content
Authentication:
- Azure AD OAuth2 (client_credentials or auth code flow)
- Scope: `https://<env>.operations.dynamics.com/.default`
- Header: `Authorization: Bearer <token>`
Recommendation

Use least-privilege Azure AD app registrations or user roles, avoid sharing tokens in prompts or logs, and rotate credentials according to organizational policy.