ClawHub
Back to skill

Security audit

M365 Unified

Security checks across malware telemetry and agentic risk

Overview

The skill is mostly a Microsoft 365 integration, but its webhook handler also performs under-disclosed invoice automation and sends email-derived details to Telegram while changing mailbox and SharePoint state.

Review before installing or running in production. Use a dedicated Azure app with the narrowest possible mailboxes, sites, and Planner groups; do not run scripts/webhook-handler.js unless you intentionally want the invoice-processing and Telegram notification workflow; remove or disable Telegram settings if external messaging is not approved; test against a dedicated mailbox/site first; and protect the generated .env file as a secret.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (20)

Tp4

High
Category
MCP Tool Poisoning
Confidence
92% confidence
Finding
The documentation presents the skill as a general Microsoft 365 integration, but the described behavior includes substantially more powerful automation: invoice detection, attachment/PDF extraction, mailbox mutation, SharePoint uploads, temporary result storage, webhook-triggered processing, and Telegram exfiltration of processing results. This mismatch prevents informed consent and can hide sensitive-data flows to external systems, making deployment riskier than users would reasonably expect.

Context-Inappropriate Capability

Low
Confidence
90% confidence
Finding
The debugging snippet recommends logging the full inbound request headers, which can capture authorization-related metadata, network details, and other sensitive operational information that is not necessary for routine webhook validation. In a publicly exposed webhook endpoint, these logs can become a secondary disclosure channel if retained insecurely, forwarded to centralized logging, or viewed by unauthorized operators.

Context-Inappropriate Capability

Low
Confidence
97% confidence
Finding
The script prints sensitive configuration values, including the webhook URL and mailbox identifier, directly to stdout. In many environments stdout is captured by CI logs, shell history tooling, terminal recorders, or centralized logging systems, which can expose internal endpoints and account information beyond the intended operator.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The script performs outbound messaging to Telegram/OpenClaw even though the skill is described as a Microsoft 365 integration. That scope mismatch is security-relevant because it introduces an external data egress path for invoice metadata that users and reviewers may not expect, increasing the chance of undisclosed data transfer outside approved M365 boundaries.

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The function claims secret input 'will be hidden' but uses standard readline.question(), which echoes keystrokes to the terminal. This can expose the client secret to shoulder surfing, terminal scrollback, session recording, or shell logging, creating a real confidentiality issue during setup.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The handler is not limited to generic Microsoft 365 webhook receipt; it performs invoice-specific triage, spawns downstream processing, writes result files, and sends notifications. This creates capability drift from the declared skill purpose, which is dangerous because operators may grant trust and permissions based on the manifest while the code performs additional business processing with access to mailbox contents.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The code sends email-derived data such as subject, sender, supplier, invoice number, and error content to Telegram, which is an external third-party service outside the stated M365 scope. This can exfiltrate sensitive business data and potentially secrets or PII from emails into a less controlled channel, especially if Telegram configuration points to unintended recipients.

Context-Inappropriate Capability

Medium
Confidence
84% confidence
Finding
The webhook handler spawns a local invoice-processing script, extending behavior beyond simple webhook handling into arbitrary local execution paths. Even though the script path is fixed, this increases attack surface and operational risk because untrusted mailbox events can trigger local processing logic with inherited environment secrets and filesystem access.

Intent-Code Divergence

Medium
Confidence
88% confidence
Finding
The module documentation explicitly says it processes invoices, which conflicts with the generic M365 webhook/notification description. This mismatch is security-relevant because it obscures the true data-handling behavior from reviewers and users, undermining informed consent and risk assessment for a skill that touches email content and external messaging.

Intent-Code Divergence

High
Confidence
98% confidence
Finding
The function resolves metadata from the requested user's drive path but performs the deletion against `/me/drive/items/${item.id}` regardless of the `user` parameter. In a delegated or multi-user context, this can delete an item in the authenticated caller's own OneDrive instead of the intended target, causing unauthorized destructive actions and cross-context data loss if item IDs overlap or assumptions about drive scoping are wrong.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The README advertises broad mailbox, SharePoint, OneDrive, and Planner access, including application permissions such as Mail.ReadWrite and Files.ReadWrite.All, without a prominent upfront warning about tenant-wide data access and modification risks. In this context, operators may enable powerful app-only permissions before understanding that the skill can read, alter, move, delete, or upload sensitive enterprise content across many users and sites.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The webhook documentation explains how to expose an HTTPS endpoint for Microsoft Graph notifications, but it does not prominently warn that external infrastructure will receive event metadata about mailbox, file, or task activity. Even if payloads are limited, this can disclose sensitive organizational activity patterns and, in some implementations, trigger downstream processing of confidential content.

Missing User Warnings

Medium
Confidence
82% confidence
Finding
The guide presents webhook-triggered automations that create tasks, send emails, and copy attachments without clearly warning that these actions are state-changing and may execute automatically on external events. In the context of Microsoft 365 resources, this can lead to unintended data propagation, mail sending, or workflow changes if triggers are too broad, spoofed, misconfigured, or insufficiently reviewed.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The script automatically uploads attachments to SharePoint, marks emails as read, and moves messages to another folder without any confirmation, dry-run mode, or safety gating. In a mailbox automation context, these are state-changing operations that can misfile records, hide unread invoices, and make mistakes hard to detect or reverse at scale.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script sends invoice-derived content such as the subject and processing status to an external messaging destination without any visible consent, disclosure, or minimization controls. In the context of Microsoft 365 invoice processing, even limited metadata can contain sensitive business or personal information, making this an unauthorized data exfiltration risk.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The wizard writes user-supplied client secrets into a .env file on disk immediately after collection, but does not give a clear warning at the moment of write or offer safer handling. Secrets written to disk can be exposed through backups, local compromise, accidental file sharing, or permissive filesystem permissions.

Missing User Warnings

Low
Confidence
82% confidence
Finding
The setup guide is saved to SETUP-INSTRUCTIONS.txt without clearly disclosing that entered identifiers and configuration values may be written into that file. While this file may not contain the client secret, tenant IDs, client IDs, mailbox names, site IDs, and group IDs can still be sensitive organizational metadata that broadens reconnaissance value if disclosed.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
This test script performs real SharePoint mutations by creating folders, uploading files, and deleting content without any explicit confirmation gate, dry-run mode, or strong warning before execution. In an agent skill context, especially one wired to production Microsoft 365 tenants, this increases the chance of accidental writes or deletions against live data if the script is run with valid credentials and a production site ID.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The function saves email attachments to SharePoint with `conflict: 'replace'`, which causes any existing file at the target path to be overwritten automatically. In a Microsoft 365 automation skill that bridges email and SharePoint, this is risky because attachment names are often attacker-controlled or at least externally influenced, so a crafted or colliding filename can destroy or replace existing documents without confirmation.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The code stores the Microsoft Graph access token directly on the returned client object as `_token`, making it accessible to any downstream code that receives the client instance. In an agent/skill environment, objects are often logged, inspected, serialized, or passed across module boundaries, so exposing a bearer token in this way materially increases the chance of credential leakage and misuse.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.dangerous_exec, suspicious.env_credential_access, suspicious.exposed_secret_literal

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
scripts/create-inbox-webhook.js:31

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
scripts/process-invoice-with-ocr.js:57

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
scripts/send-telegram-notification.js:75

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
scripts/webhook-handler.js:397

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
scripts/manage-webhooks.js:31

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
scripts/process-invoice-email.js:32

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
scripts/process-invoice-with-ocr.js:160

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
scripts/send-telegram-notification.js:14

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
scripts/test-attachment-download.js:23

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
scripts/test-connection.js:15

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
scripts/test-invoice-flow.js:20

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
scripts/test-webhook-post.js:14

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
scripts/test-webhook.js:16

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
scripts/webhook-handler.js:27

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
scripts/test-invoice-flow.js:54

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
scripts/test-webhook.js:141

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
scripts/webhook-handler.js:318