ClawHub

M365 Planner

Security checks across malware telemetry and agentic risk

Overview

This is a real Microsoft Planner integration, but it uses powerful Microsoft 365 app credentials and can change or delete live Planner data with limited safeguards.

Install only after a Microsoft 365 administrator reviews the exact Graph permissions. Prefer the least-privilege scopes that work, protect and rotate the client secret, and avoid running cleanup or delete commands until the tenant, group, plan, bucket, and task targets have been independently verified.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (18)

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill documentation clearly indicates access to local environment-stored secrets in ~/.openclaw/.env, but no explicit permission declaration is present. This creates a trust and transparency gap: an operator may invoke the skill without realizing it reads sensitive credentials from disk.

Tp4

High
Category
MCP Tool Poisoning
Confidence
91% confidence
Finding
The stated purpose focuses on Planner management, but the documented behavior also includes tenant/group enumeration, local credential loading, OAuth token acquisition, and bulk deletion workflows. This mismatch matters because users may authorize or trust the skill for routine task management without understanding that it also discovers broader organizational metadata and performs destructive automation.

Intent-Code Divergence

Medium
Confidence
90% confidence
Finding
The reference labels broad write scopes as 'Required Permissions' while the skill metadata states narrower requirements, creating a dangerous permission mismatch. This can cause operators to overprovision the Azure AD app, expanding blast radius to unintended group and task modification if the skill or its inputs are abused.

Scope Creep

Medium
Confidence
87% confidence
Finding
Documenting plan and bucket create/update/delete capabilities implies the skill can perform group-level modifications, which generally require broader permissions than the manifest summary suggests. In a Microsoft 365 tenant, this makes the skill more dangerous because Planner plans are tied to M365 Groups, so misuse can alter shared team resources rather than isolated data.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The guide documents client credentials flow, which is app-only, but then tells users to validate access with `mgc me get`, a delegated-user endpoint that does not work with app-only tokens. This can mislead operators into troubleshooting authentication incorrectly, encouraging unsafe workarounds or misconfigured auth flows and causing insecure or nonfunctional deployments.

Scope Creep

High
Confidence
94% confidence
Finding
The setup guide asks for `Group.ReadWrite.All`, which is broader than the skill metadata's stated requirement of `Group.Read.All`. Over-scoped Microsoft Graph application permissions materially increase blast radius: if the app credentials are exposed or misused, an attacker could modify groups tenant-wide rather than only read them.

Scope Creep

Medium
Confidence
91% confidence
Finding
The guide requests `Tasks.ReadWrite`, while the skill metadata declares `Tasks.ReadWrite.All`, creating a permission-intent mismatch. This inconsistency can cause failed deployments, unclear operator behavior, or ad hoc permission escalation as users try to make the integration work, undermining predictable security boundaries.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
When no group ID is supplied, the script enumerates all accessible Microsoft 365 groups via `/groups`, which expands data access beyond narrowly listing Planner plans for a specified group. In a skill advertised as Planner-focused, this broad tenant reconnaissance increases unnecessary exposure of group names, IDs, and mail addresses and can aid later targeting or data discovery.

Scope Creep

Medium
Confidence
86% confidence
Finding
Using the broad `/groups` endpoint performs directory-wide enumeration that is not necessary for basic plan, bucket, and task operations once a target group is known. With app-only credentials and `Group.Read.All`, this can expose metadata across all accessible groups, making the skill more powerful than its Planner-centric purpose suggests.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The script directly reads credentials from ~/.openclaw/.env, which gives the skill code implicit access to locally stored secrets outside explicit user input. In a skill context, this expands the trust boundary and creates a credential-harvesting capability that is not strictly necessary for Planner operations if credentials are instead injected through the runtime or a secret manager.

Scope Creep

High
Confidence
89% confidence
Finding
The connection test enumerates organization and group information, which exposes broader tenant metadata than is needed to verify basic Planner connectivity. This increases reconnaissance value for anyone who can run the script and may pull sensitive names, IDs, and domain details from the tenant.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The cleanup script is documented as deleting all completed tasks from a bucket, but the documentation does not prominently warn about irreversible deletion or require confirmation safeguards. In operational use, this can lead to unintended data loss, especially when plan or bucket names are mistyped or when users assume cleanup is non-destructive.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The examples show live Microsoft 365 Planner creation, update, and assignment commands without any warning that they operate on real tenant data. A user may copy and run them against production resources, causing unintended plan creation, task changes, assignments, or report generation against actual organizational data.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The API reference exposes destructive DELETE endpoints and broad write permissions without warning users about deletion, shared-resource impact, or the need for confirmation. In an agent setting, lack of safety guidance increases the chance that prompts or automation invoke irreversible actions against production Planner data.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The guide instructs users to place a long-lived client secret in a local `~/.openclaw/.env` file without any warning about credential sensitivity, file permissions, secret rotation, or safer secret storage. Because these are application credentials with tenant-wide Graph access, accidental disclosure through backups, logs, screenshots, or permissive filesystem access could enable unauthorized API use.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The script permanently deletes completed Planner tasks immediately after matching the specified bucket, with no confirmation prompt, dry-run mode, or safety interlock. Because deletion is irreversible in normal use, a mistyped group, plan, or bucket argument can cause unintended data loss at scale.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The script automatically reads M365 client credentials from `~/.openclaw/.env` and injects them into the process without prompting or disclosing that sensitive secrets will be used. In an agent-skill context, silent credential loading is dangerous because it enables privileged API access with app credentials and may surprise users or other tooling that executes the script.

Credential Access

High
Category
Privilege Escalation
Content
### test-connection.js
Tests connection to Microsoft Graph:
- Request access token
- Display tenant information
- List available M365 Groups
- Check Planner capability
Confidence
86% confidence
Finding
access token

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal