ClawHub

TinkerClaw Outlook Hack

Security checks across malware telemetry and agentic risk

Overview

This skill is not clearly malicious, but it asks for durable Microsoft account tokens and includes broad mailbox access and mutation features that exceed a simple read-and-draft helper.

Review carefully before installing. This skill requires handling a reusable Microsoft refresh token from a Teams browser session, can cache sensitive mailbox data on disk, and includes commands that can change or delete mail. Only use it in an account where you are comfortable granting broad Graph-backed access, and revoke the Microsoft session/token if you stop using it.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (18)

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The manifest materially understates the skill's capabilities by claiming it only reads Outlook mail and drafts replies, while the body documents broader access to calendar events, contacts, bulk export of email bodies, and attachment indexing. This mismatch can mislead users and reviewers into granting browser/session access without understanding the full data exposure and operational scope.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The skill instructs users to extract a long-lived MSAL refresh token from a Teams browser session and store it for later exchange into Graph access tokens. That is credential theft/repurposing beyond normal delegated OAuth flows, and it grants durable account access that can be reused across services and over time, far exceeding a simple mail-drafting feature.

Intent-Code Divergence

Medium
Confidence
91% confidence
Finding
The documentation claims the skill is not scraping and only uses Outlook's API, but its implementation depends on harvesting credentials from browser localStorage in a Teams tab. This misrepresentation obscures the real trust boundary and can cause users to underestimate that the skill is accessing browser-stored secrets rather than using a normal authenticated API integration.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The script does substantially more than the skill description promises: it bulk-fetches message bodies, attachment metadata, and then persists a mailbox archive and summary report to disk. In an agent skill whose stated purpose is only reading email and drafting unsent replies, this undisclosed data harvesting materially increases privacy and exfiltration risk and indicates deceptive scope.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The script stores refresh tokens locally and uses them to mint fresh access tokens, enabling durable, repeated access to the mailbox beyond a one-time session. That persistence is not necessary for a simple read/draft helper and creates a credential-retention mechanism that could be abused to maintain covert access to the account.

Intent-Code Divergence

Medium
Confidence
91% confidence
Finding
The header and usage text understate the script's actual capabilities by presenting it as an email fetcher while it also builds attachment indexes and a mailbox analysis report. This mismatch impairs informed consent and can hide sensitive secondary processing from users reviewing the skill superficially.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The skill metadata says it only reads Outlook email and drafts replies, but the command surface includes deletion, moving, flagging, attachment download, token handling, and access to folders, calendar, contacts, and profile data. This is a scope mismatch that can mislead users and downstream agents into granting broader access than expected, increasing the risk of unauthorized mailbox changes and data exposure.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The code performs mailbox mutations beyond drafting, including moving, flagging, and deleting messages. In the context of a skill advertised as non-sending and read-oriented, these hidden state-changing operations are dangerous because an agent or user may invoke them without understanding the destructive consequences.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The skill accesses calendar, contacts, and profile data even though its stated purpose is reading Outlook email and drafting replies. This unnecessary expansion of accessible data increases privacy exposure and can lead to overcollection of sensitive personal and organizational information.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The bulk fetch command exports large volumes of email content to a local JSONL file under the user's home directory. This materially exceeds the described behavior and creates a concentrated local cache of sensitive mailbox data that can be exfiltrated, mishandled, or retained indefinitely.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The documented token extraction flow and stored refresh-token capability are not justified by the stated read-and-draft purpose and provide durable credential access to Microsoft Graph. Refresh tokens are highly sensitive because they can be used to mint new access tokens repeatedly, enabling long-lived access to mailbox and related data.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The attachment download feature writes data to an arbitrary user-specified path, and the skill also writes bulk-fetched emails to local files. Even if not directly exploitable as code execution, this exceeds the skill's stated purpose and increases the risk of sensitive data leakage, accidental overwrite of local files, and unsafe persistence of confidential content.

Missing User Warnings

High
Confidence
97% confidence
Finding
The instructions tell users to extract and store a 90-day auto-rotating Microsoft refresh token without a clear warning that it is a highly sensitive account credential with broad privacy and security implications. A compromised or misused token can enable sustained access to mail, calendar, contacts, and other Graph-backed resources, making the risk much greater than ordinary application state storage.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill documents bulk download of full email bodies and attachment metadata to local files but does not provide an explicit privacy warning about copying potentially sensitive communications and document inventories into a workspace on disk. This increases the chance of accidental retention, secondary exposure, or misuse of confidential content beyond the user's expectation of simple inbox assistance.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The code bulk-exports sensitive email content to local JSONL files without any user-facing warning, confirmation step, retention policy, or protective controls. Mailbox contents often contain credentials, financial data, and personal information, so writing them to disk silently expands the attack surface to any local compromise or backup/sync leakage.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The script writes access and refresh tokens to a predictable file in the user's home directory without a clear disclosure that credential material will be persisted. Even with restrictive file mode, storing reusable OAuth credentials on disk creates a durable compromise path if the host, backups, or synced home directory are exposed.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The delete command permanently mutates mailbox state without any warning, preview, or confirmation step. In an agent setting, this is especially risky because destructive actions can be triggered accidentally or through prompt confusion, causing data loss and operational disruption.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The bulk export command saves message metadata and body text to local disk without strong disclosure in the primary skill description. In a skill context advertised as reading and drafting email, silent persistence of mailbox contents materially increases privacy and compliance risk.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal