ClawHub

Outlook

Security checks across malware telemetry and agentic risk

Overview

The Outlook skill is mostly coherent, but it gives an agent powerful mailbox/calendar control and contains an attachment download flaw that can write files outside an expected download location.

Install only if you are comfortable letting the agent read and modify Outlook mail, send messages as you, and change calendar events. Treat ~/.outlook-mcp as sensitive credential storage, avoid using the token-printing command unless necessary, review every send/delete/bulk/calendar-change action, and do not download attachments with suspicious names or to sensitive directories until the download path handling is fixed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (16)

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The download command writes attacker-controlled attachment bytes to an attacker-influenced local path and filename without restricting the destination. In an agent skill, this expands a mail-management capability into arbitrary local file creation, which can be abused to overwrite user files, place payloads in sensitive locations, or stage follow-on attacks if the agent is induced to save untrusted content.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The script exposes arbitrary file creation via the output path argument even though the skill is described as Outlook mail/calendar management. That mismatch increases risk because a seemingly mail-only capability can be used to persist files locally outside the user's expectation and outside least-privilege boundaries.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The script requests Mail.ReadWrite, Mail.Send, and Calendars.ReadWrite scopes even though the skill description emphasizes reading, searching, and managing Outlook content in a general way. Overbroad delegated permissions violate least privilege and, if the local tokens are stolen or the skill is misused, enable sending mail, modifying or deleting messages, and altering calendar events.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The setup script creates an Azure app registration and long-lived client secret locally, expanding the trust boundary beyond simply accessing Outlook data. This introduces persistent application credentials that can be abused if exposed, and is broader than users would reasonably infer from a mail/calendar access skill.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The trigger terms are broad and overlap with many common email and scheduling requests, making accidental selection likely. In this skill's context, accidental invocation is more dangerous because the skill supports sensitive read/write mailbox and calendar operations and can access stored OAuth credentials.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The documentation advertises destructive and sensitive actions such as delete, archive, move, send, reply, and event deletion without any explicit warning, confirmation requirement, or least-privilege guidance. Because the skill operates on real mailbox and calendar data, these actions can cause data loss, unauthorized communications, or business disruption if invoked mistakenly or via prompt confusion.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The setup flow stores a client secret and OAuth tokens locally but does not present a clear security warning about local secret storage, file permissions, or the consequences of compromise. Anyone or any process with access to those files could potentially read mail, send email, and modify calendar data using the victim's account.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The guide instructs users to store a client secret and OAuth token response on disk, but does not clearly warn that these values grant ongoing access to the user's Microsoft Graph data. Although file permissions are restricted with chmod 600, local plaintext storage still creates risk from local compromise, backups, shell history, or accidental disclosure.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The instructions request broad delegated permissions including read/write mail, send mail, and read/write calendar access, but do not clearly explain the sensitivity of granting this scope. Users may consent without understanding that the app can read inbox contents, send messages as them, and modify calendar events.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The script performs destructive and state-changing calendar operations (create, update, delete) immediately against Microsoft Graph without any confirmation gate, dry-run mode, or explicit warning. In an agent skill context, this increases the risk of accidental or prompt-induced modification of a user's remote calendar data, especially when the skill may be invoked from natural-language requests.

Natural-Language Policy Violations

Medium
Confidence
85% confidence
Finding
The script hardcodes the Europe/Madrid timezone for both reads and writes, which can silently shift event interpretation and scheduling for users in other locales. In a calendar-management skill, incorrect timezone handling can cause missed meetings, events created at the wrong time, and inaccurate availability checks.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The attachment download operation performs a local file write without any explicit warning, confirmation, or indication that disk state will change. In agent contexts, silent writes are risky because users may think they are only inspecting email data while the skill is actually creating files on the host.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
Bulk delete performs destructive mailbox changes across multiple messages with no confirmation, preview, or dry-run mode. In an agent-operated environment, a prompt misunderstanding or malicious instruction could rapidly cause broad mail loss or disruption with limited visibility to the user.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The script stores OAuth tokens in a local credentials file without prominently warning the user that sensitive bearer and refresh tokens are being persisted. Anyone who gains access to the local account or files can potentially reuse those tokens to read, modify, or send email and manipulate calendar data.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script creates and stores a long-lived client secret without clear user disclosure that a reusable application credential is being generated. A stolen client secret can enable ongoing token acquisition in combination with authorization artifacts, increasing persistence and recovery difficulty after compromise.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The `get` command prints the raw OAuth access token directly to stdout, which can expose it through terminal history, logs, process capture, shell substitution, or other tools that consume command output. In this skill context, the token grants Microsoft Graph access to email and calendar data, so disclosure can enable unauthorized reading, sending mail, and calendar modification.

VirusTotal

58/58 vendors flagged this skill as clean.

View on VirusTotal