ClawHub

Outlook Calendar (M365)

Security checks across malware telemetry and agentic risk

Overview

This skill reads Outlook calendars as described, but it asks for and stores powerful Microsoft 365 credentials, cookies, and bearer tokens in ways users should review carefully before installing.

Review before installing. Prefer an official Microsoft OAuth or Graph calendar integration with calendar-read-only scopes. If you still use this skill, run it only on a trusted single-user machine, restrict permissions on ~/.outlook, avoid keeping your account password in config.json, delete cookies, tokens, logs, and debug screenshots after use, and invoke it only for explicit calendar requests.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (15)

Lp3

Medium
Category
MCP Least Privilege
Confidence
90% confidence
Finding
The skill performs file writes and network access but does not declare corresponding permissions, which undermines informed consent and permission-based containment. In this context, those capabilities are used to authenticate to Microsoft 365, persist cookies/tokens, and access enterprise calendar data, so the undeclared scope is materially security-relevant.

Tp4

High
Category
MCP Tool Poisoning
Confidence
96% confidence
Finding
The skill claims to read Outlook calendar data, but the documented behavior includes credential-based login automation, MFA handling, cookie persistence, and bearer-token interception/caching. That is a substantial expansion of behavior beyond a simple read-calendar skill and increases the chance users or platforms authorize a more privileged workflow than they intended.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The documentation instructs users to place their Outlook email and password in a local config file for automated login, exposing highly sensitive enterprise credentials to theft, reuse, or accidental leakage. For a calendar-reading skill, collecting raw credentials is broader than necessary and significantly raises the blast radius if the host or skill is compromised.

Context-Inappropriate Capability

Medium
Confidence
87% confidence
Finding
Requiring browser automation to complete MFA and save session cookies introduces a powerful capability that can be repurposed for broader account access than calendar reading alone. Even if intended for convenience, automated interactive-login handling weakens trust boundaries around MFA and creates reusable authentication artifacts on disk.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The script loads stored Microsoft 365 credentials and performs a full browser-based login, then persists reusable session cookies to disk. For a skill whose stated purpose is only reading Outlook calendar data, this introduces broader account-access capability and durable authentication material that could be reused outside the intended scope if the host or files are compromised.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The screenshot helper captures login and MFA-related pages to files under the user's home directory. These images can expose sensitive authentication context, account identifiers, or MFA challenge details and are not necessary for a calendar-reading skill, increasing data leakage risk.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
Reading email and password from a local config file means the skill depends on stored plaintext or retrievable credentials outside a secure secret-management boundary. In the context of a read-calendar skill, this is unnecessarily privileged and expands the blast radius if the file system is accessed by another process or user.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The skill’s stated purpose is calendar reading, but the implementation also extracts a Bearer access token from live browser traffic and stores it for later reuse. That materially expands the privilege boundary: whoever can read the cached token may be able to access Outlook data through APIs outside the intended interactive session, making this an unnecessary credential-harvesting behavior for the advertised function.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
Using Playwright request interception to capture Authorization headers is a powerful credential-extraction technique, not merely a calendar-read operation. In this context it is more dangerous because the skill operates on a corporate Microsoft 365 account, so the captured token may grant access to sensitive enterprise mailbox/calendar data and can be reused until expiry.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The code bootstraps access by reading Outlook-related configuration and persisted cookies from the user’s home directory, which bypasses explicit per-run consent and relies on sensitive local session artifacts. In a skill context, this increases risk because it silently leverages existing authenticated state for enterprise data access, and compromise of those files can enable account misuse.

Vague Triggers

High
Confidence
91% confidence
Finding
The trigger rules are so broad that many ordinary phrases about work, tasks, or plans could invoke the skill unexpectedly. In a skill that accesses enterprise calendar data and authentication artifacts, over-triggering increases the risk of unnecessary sensitive-data access and user confusion about when external account data is being queried.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill handles highly sensitive credentials, cookies, and bearer tokens but does not provide a strong warning about the risks, storage locations, or consequences of compromise. This weakens user awareness and consent for a workflow that can expose enterprise account access beyond a single calendar read.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The script silently consumes stored credentials without any user-facing warning, consent, or disclosure. That is risky because users may not realize the skill is accessing enterprise account credentials directly rather than using a constrained API authorization flow.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
Persisting authentication cookies to disk without clear warning creates a reusable session artifact that may allow later access to Microsoft 365 resources beyond the immediate task. In an enterprise environment, stolen cookie files can enable session hijacking even without the original password.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill writes a reusable Bearer token to disk in token.json without warning, encryption, or use of secure credential storage. If another local process, user, or malware reads that file within the token lifetime, it can impersonate the user against Outlook APIs and access sensitive calendar data outside the intended tool flow.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal