ClawHub
Back to skill

Security audit

Openclaw Msteams Bot Elvatis

Security checks across malware telemetry and agentic risk

Overview

This is mostly a real Teams-to-OpenClaw connector, but it needs Review because it silently reaches into host credentials, forwards and logs Teams file data, and bundles undisclosed high-impact Graph/GitHub write modules.

Install only after reviewing the source and deployment model carefully. Use least-privilege Azure, Graph, GitHub, and OpenClaw credentials; remove or isolate the unused Graph/GitHub modules if they are not intended; disable sensitive attachment/content logging; set clear retention controls for chat history and temp files; and avoid using this in channels that handle regulated or highly confidential data until those controls are in place.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (22)

Lp3

Medium
Category
MCP Least Privilege
Confidence
88% confidence
Finding
The skill advertises no explicit permissions even though its implementation requires environment access and network connectivity. This creates a transparency and governance gap: operators may approve or deploy the skill without understanding that it can access secrets from the environment and communicate externally, increasing the chance of over-privileged or unsafe deployment.

Tp4

High
Category
MCP Tool Poisoning
Confidence
96% confidence
Finding
The documented purpose is a Teams connector, but the code reportedly includes additional GitHub operations, Microsoft Graph file access/write capabilities, local config token retrieval, and local CLI execution. This is dangerous because it materially expands the trust boundary beyond the stated function, enabling repository access, file exfiltration/modification, credential harvesting from local config, and command execution paths that operators would not reasonably expect from the description.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The connector reads a gateway bearer token directly from a local OpenClaw config file and uses it for backend authentication, creating implicit privilege coupling between the plugin and the host agent environment. If the plugin is compromised, misconfigured, or exposed to unintended code paths, this token can be abused to access the gateway with the same privileges, expanding impact beyond Teams message handling.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The file implements a GitHub management skill with repository, issue, PR, and file access, while the package metadata describes a Microsoft Teams connector. This capability mismatch is dangerous because it can hide materially broader access than operators expect, increasing the chance that powerful GitHub actions are deployed and granted credentials without informed approval.

Context-Inappropriate Capability

High
Confidence
96% confidence
Finding
This function can create or modify repository files using configured GitHub credentials, which is a sensitive write capability unrelated to a stated Teams connector purpose. In an agent context, exposing silent write access enables unauthorized code changes, backdoors, workflow tampering, or defacement if the tool is invoked through prompt manipulation or misuse.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The skill can create GitHub issues in external repositories, which is an outbound action beyond the declared Teams connector scope. While less severe than file writes, this can still be abused for spam, social engineering, information disclosure, or unauthorized project manipulation from within a chat-driven agent workflow.

Intent-Code Divergence

High
Confidence
97% confidence
Finding
The source header and exported skill metadata clearly describe GitHub integration, contradicting the higher-level manifest claiming a Teams connector. Such deceptive or inconsistent labeling makes the skill more dangerous because reviewers may approve it under false assumptions and provision secrets or permissions inappropriate for the actual behavior.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The README states that SharePoint/OneDrive files are fetched automatically and analyzed by the AI, but it does not clearly warn that file contents will be transmitted to the bot backend and model provider. In an enterprise Teams integration, users may reasonably assume files remain within Microsoft 365 boundaries, creating a material privacy and data-handling risk.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The README says chat history is automatically persisted per channel as JSONL session files, but gives no prominent warning about retention, access scope, or privacy consequences. In shared Teams channels, persistent logs can expose sensitive business conversations to administrators, backups, or later compromise if storage protections are weak.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The bot logs attachment metadata and up to 500 characters of attachment content in plaintext. In a Teams connector, attachments can contain sensitive business data, secrets, personal data, and pre-authenticated URLs, so these debug logs create an unintended secondary disclosure channel to log stores and operators.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
Downloaded images are written to plugin-local temporary files without user disclosure and without strong lifecycle guarantees. Although cleanup is scheduled, files persist on disk for several minutes and may remain longer on crashes or restarts, exposing sensitive attachment contents to local users, backups, or other processes.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
SharePoint/OneDrive image attachments are persisted to local temp files in the same unsafe pattern as other images. Because these files often originate from enterprise document stores, local persistence increases the chance of unauthorized retention or disclosure beyond the Teams conversation.

Missing User Warnings

Medium
Confidence
85% confidence
Finding
HTML-embedded images are fetched and written to local temporary files without clear notice, creating another silent persistence path for user data. This broadens the data handling surface and can retain sensitive screenshots or shared images on disk outside expected chat boundaries.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
A locally sourced gateway token is transmitted over an unencrypted ws:// connection, even though the destination is loopback. While localhost reduces exposure, plaintext transport and silent credential use increase the risk of token interception via local compromise, debugging proxies, or unintended host/network configurations, and users are not informed that host credentials are being used on their behalf.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The file write tool performs repository modifications immediately with no built-in confirmation, preview, or user-facing warning. In conversational agents, the absence of an approval step materially increases the risk of accidental or prompt-induced destructive actions against source repositories.

Ssd 3

High
Confidence
98% confidence
Finding
The code automatically appends attachment contents, extracted text, and inline base64 image data into the prompt sent to the downstream gateway. This causes broad, implicit exfiltration of user-provided files and message content to another system, and in this skill context the connector is specifically designed to bridge Teams conversations into AI sessions, making over-sharing especially dangerous for enterprise data.

Ssd 3

Medium
Confidence
96% confidence
Finding
The debug logging emits attachment URLs and partial plaintext content, which can include confidential document snippets, image metadata, or temporary authenticated download links. In production, logs are often broadly accessible and retained longer than chat content, so this can materially increase exposure of sensitive Teams data.

Ssd 1

Medium
Confidence
97% confidence
Finding
The code injects natural-language instructions into model input telling the downstream agent to read a local file and then delete it. This is a semantic prompt-injection primitive: rather than passing structured attachment metadata, it embeds tool-use directives that can steer an agent into unsafe file access or destructive actions.

Ssd 1

Medium
Confidence
97% confidence
Finding
This branch repeats the same unsafe pattern by embedding instructions to use the read tool and delete a local file after handling an HTML/image attachment. In an agentic system, these phrases can be interpreted as authoritative instructions and can combine with other prompt content to trigger unintended tool use on local files.

Known Vulnerable Dependency: body-parser==1.20.2 — 1 advisory(ies): CVE-2024-45590 (body-parser vulnerable to denial of service when url encoding is enabled)

High
Category
Supply Chain
Confidence
94% confidence
Finding
body-parser==1.20.2

Known Vulnerable Dependency: express==4.18.2 — 2 advisory(ies): CVE-2024-43796 (express vulnerable to XSS via response.redirect()); CVE-2024-29041 (Express.js Open Redirect in malformed URLs)

Low
Category
Supply Chain
Confidence
82% confidence
Finding
express==4.18.2

Known Vulnerable Dependency: ws==8.20.0 — 1 advisory(ies): CVE-2026-45736 (ws: Uninitialized memory disclosure)

Low
Category
Supply Chain
Confidence
72% confidence
Finding
ws==8.20.0

VirusTotal

No VirusTotal findings

View on VirusTotal