ClawHub

Outlook Pywin32

Security checks across malware telemetry and agentic risk

Overview

This appears to be a legitimate Outlook automation skill, but it can access and change sensitive local mailbox and calendar data with under-disclosed side effects.

Review before installing. Use this only with Outlook accounts you are authorized to expose to an agent, preferably in a limited Outlook profile. Confirm mail and calendar commands before running them, and assume reading a message may mark it as read and calendar edits involving attendees may have effects beyond a purely local note.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (5)

Intent-Code Divergence

Medium
Confidence
87% confidence
Finding
The function documentation promises that edits are only saved locally and that no notifications are sent, but the code modifies attendee-related fields on an Outlook appointment and then calls Save(). In Outlook/Exchange, changing meeting properties or attendees can trigger meeting update behavior depending on item type and client/server state, so this mismatch can lead to unintended outbound notifications or calendar changes affecting other people.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The function is presented as a read operation but it also mutates mailbox state by setting `msg.UnRead = False`. Hidden state changes are security-relevant because they can alter auditability, user workflow, and downstream automations that depend on unread status, especially when invoked by an agent on the user's behalf.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
The README explicitly advertises capabilities to read, search, and enumerate local Outlook mail and calendar data, but it does not clearly warn users that the tool accesses potentially sensitive personal or corporate information from the local Outlook profile. In this context, the omission increases the risk of uninformed use and accidental exposure of mailbox contents, contacts, schedules, or other private data, especially because the tool also supports account switching and broad folder access.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill documentation exposes capabilities to read/search emails and create or modify Outlook mail/calendar data without any explicit warning, consent language, or guidance about handling sensitive personal and organizational information. In an agent context, these are privacy-sensitive and state-changing operations, so omission of safety boundaries can lead to unintended data access, unauthorized edits, or user surprise.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The code silently marks messages as read after displaying them, with no user warning or consent. In an agent context this is more dangerous because merely inspecting mail can unintentionally hide unread items, interfere with user attention signals, and trigger logic in other tools that assumes the user has seen the message.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal