ClawHub

Outlook Calendar

Security checks across malware telemetry and agentic risk

Overview

This skill is meant to read Outlook calendars, but it stores and reuses Microsoft 365 login secrets in ways that deserve careful review before installation.

Install only if you fully trust the publisher and are comfortable storing Microsoft 365 credentials, cookies, bearer tokens, and possible login screenshots on the local machine. Prefer a version that uses official Microsoft OAuth or Graph with calendar-read scope, narrows activation to explicit calendar requests, avoids password and cookie reuse, and documents how to protect, delete, and rotate stored secrets.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (11)

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The script reads a Microsoft account email/password from a local config file and then drives a full browser login flow, including MFA handling, to obtain authenticated access. For a skill whose declared purpose is only to read calendar data, embedding credential use and interactive login automation is over-privileged and creates a clear path to account compromise or unauthorized session establishment if the host is shared, misconfigured, or the skill is triggered unexpectedly.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The screenshot helper saves images from the login and MFA pages to disk, which can capture sensitive authentication state such as email addresses, tenant branding, MFA prompts, and the numeric matching code. Persisting these artifacts is unrelated to normal calendar reading and increases the risk of credential theft, MFA bypass assistance, or leakage of sensitive account metadata.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The implementation automates sign-in, waits through MFA approval, navigates to Outlook, and persists the resulting session cookies. This materially exceeds a simple read-calendar capability and effectively creates a reusable authenticated browser session on disk, which an attacker or another local process could replay to access the user's Outlook data without repeating normal authentication.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The script’s stated purpose is to read calendar data, but it also programmatically extracts a Bearer token from live browser traffic and reuses it outside the browser session. That token is a reusable authentication secret which may grant broader mailbox/API access than the minimum needed for the displayed function, making this behavior significantly more dangerous than ordinary calendar retrieval.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The code installs a Playwright request hook that inspects outgoing authorization headers and captures Bearer tokens from Outlook traffic. Intercepting session credentials is not necessary for a normal read-only calendar skill and creates a credential theft primitive that could be repurposed to access additional resources or impersonate the user.

Vague Triggers

High
Confidence
94% confidence
Finding
The trigger condition is extremely broad, requiring activation for nearly any mention of work, tasks, meetings, or plans. In practice this can cause the skill to activate on ambiguous prompts and access enterprise calendar data when the user may not be asking for Outlook information, creating unnecessary exposure of sensitive schedule data.

Vague Triggers

High
Confidence
95% confidence
Finding
The invocation rule mandates activation for broad, ambiguous categories without scope limits, forcing the skill to run even when the user's meaning is unclear. Because this skill accesses enterprise calendar information, over-triggering increases the chance of unnecessary data retrieval and disclosure of sensitive meeting details or work patterns.

Natural-Language Policy Violations

Medium
Confidence
84% confidence
Finding
The skill hard-codes conversion from UTC to Shanghai time without checking the user's locale, mailbox settings, or requested timezone. This can lead to incorrect schedule reporting, which is especially risky for meetings and deadlines, and may cause users to miss events or disclose inaccurate availability.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
Reading credentials from a local config file without prominent disclosure or consent handling is unsafe because it normalizes storing highly sensitive secrets in plaintext or weakly protected form. In this skill context, the practice is especially risky because the credentials are then used to establish an enterprise Microsoft 365 session, potentially exposing mail and calendar data if the file is read by other users or processes.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
Saving authentication cookies to disk without explicit warning creates a durable bearer-token-like artifact that may grant continued Outlook access to anyone who can read the file. Because this skill is meant only to answer schedule questions, persisting full browser session material is unnecessary and significantly increases the consequences of local compromise.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The Bearer token is written to disk in JSON form under the user’s home directory with no encryption, no restrictive permission checks, and no user-facing disclosure. Any local process, malware, backup system, or other user with filesystem access could recover the token and reuse it until expiry.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal