Outlook Entra

Security checks across malware telemetry and agentic risk

Overview

This Outlook skill is not clearly malicious, but it asks users to create long-lived Microsoft access and stores/refreshes tokens in ways that are under-disclosed and under-hardened.

Install only if you are comfortable granting this skill durable access to Microsoft account data. Use the narrowest Graph scopes possible, set TOKEN_FILE_KEY, protect the token file, avoid the cron job unless you truly need always-on refresh, and download attachments only into a dedicated safe directory.

SkillSpector

By NVIDIA

Vulnerability Patterns

Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Rogue AgentSelf-Modification, Session Persistence
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection

Findings (9)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 91% confidence
Finding: The skill documentation describes capabilities that require environment variable access, local file writes, and network communication, yet no explicit permissions are declared. This creates a transparency and governance gap: operators may approve a seemingly simple read-only skill without understanding that it stores tokens locally, downloads attachments, and talks to external OAuth/Graph endpoints.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 88% confidence
Finding: The skill claims read-only Outlook access for mail, calendars, and contacts, but the documented behavior also includes attachment downloads, profile access, local storage of long-lived OAuth tokens, token refresh automation, and revocation operations. Even if some actions are still non-destructive, the mismatch understates the actual data exposure and persistence behavior, which can mislead users and reviewers.

Context-Inappropriate Capability

Medium

Confidence: 81% confidence
Finding: The README instructs users to install a persistent cron job that continuously refreshes OAuth tokens on the host. Even for a read-only mail skill, this extends credential lifetime and creates host-level persistence, increasing the blast radius if the account, token store, or host is later compromised.

Scope Creep

Medium

Confidence: 83% confidence
Finding: The skill advertises only Mail.Read, Calendars.Read, and Contacts.Read, yet also documents a profile capability that typically requires User.Read or equivalent Graph access. This is a permission disclosure mismatch that can cause under-scoped review and accidental overprivileging during app registration.

Scope Creep

Medium

Confidence: 88% confidence
Finding: The code calls the Microsoft Graph /me endpoint even though the declared skill scope is limited to Mail.Read, Calendars.Read, and Contacts.Read. If the backing app registration includes broader permissions such as User.Read, the skill can access identity/profile data beyond its stated purpose, creating unnecessary data exposure and a trust mismatch.

Missing User Warnings

Low

Confidence: 77% confidence
Finding: The documentation shows attachment downloads to an arbitrary output path without warning about local file overwrite or unsafe destination choices. If a user supplies a sensitive or existing path, the feature could overwrite files or place untrusted content in locations later opened or executed by other software.

Missing User Warnings

Medium

Confidence: 83% confidence
Finding: The download command writes attacker-controlled attachment content and filename-derived output to local disk without confirmation, overwrite protection, or safety checks. In a mailbox context, this is more dangerous because email attachments are a common delivery vector for malware and deceptive filenames, so the skill materially assists transferring untrusted content onto the host.

Credential Access

High

Category: Privilege Escalation
Content: ## Notes - Le **device code flow** (RFC 8628) : l'utilisateur authentifie via `https://microsoft.com/devicelogin`. Une seule fois. - Les **refresh tokens** sont automatiquement utilisés quand l'access token expire. - Si `TOKEN_FILE_KEY` est défini, les tokens sont chiffrés AES-GCM avant stockage. - Les erreurs 401 du Graph API déclenchent un refresh automatique.
Confidence: 89% confidence
Finding: access token

Session Persistence

Medium

Category: Rogue Agent
Content: ```bash SKILL_DIR="/home/fred-ghilini/.openclaw/workspace/skills/outlook-entra" ( crontab -l 2>/dev/null | grep -v outlook_refresh; echo "55 * * * * ${SKILL_DIR}/.venv/bin/python ${SKILL_DIR}/scripts/outlook_refresh.py >> ~/.openclaw/outlook_refresh.log 2>&1" ) | crontab - ``` **Vérification** :
Confidence: 86% confidence
Finding: crontab -l

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal