D365 F&O Developer
PassAudited by VirusTotal on May 6, 2026.
Overview
Type: OpenClaw Skill Name: d365-fo-developer Version: 1.0.0 The skill bundle is a legitimate development assistant for Dynamics 365 Finance & Operations. It contains standard X++ code snippets, architectural guidance for OData and DMF integrations, and security best practices (XDS/RLS) across SKILL.md, references/integrations.md, and references/security.md. No indicators of malicious intent, data exfiltration, or prompt injection were found.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If a user copies these examples into a production tenant without review, customer or other ERP data could be changed or deleted.
The integration reference includes examples for creating, updating, and deleting D365 records. This is expected for a D365 developer skill, but these operations can mutate or delete business data if used against a real environment.
POST /data/Customers ... PATCH /data/Customers(AccountNumber='DE-001') ... DELETE /data/Customers(AccountNumber='DE-001')
Use these examples in development or test environments first, verify the target environment and record identifiers, and require explicit approval before applying destructive or bulk operations.
An over-privileged or mishandled token could allow unintended access to sensitive business data or account actions.
The skill documents use of OAuth bearer tokens for D365 API access. This is appropriate for D365 integrations, but such tokens represent delegated access to ERP data and operations.
Authentication: - Azure AD OAuth2 (client_credentials or auth code flow) - Scope: `https://<env>.operations.dynamics.com/.default` - Header: `Authorization: Bearer <token>`
Use least-privilege Azure AD app registrations or user roles, avoid sharing tokens in prompts or logs, and rotate credentials according to organizational policy.