ClawHub

OpenCloutlook

Security checks across malware telemetry and agentic risk

Overview

This Outlook skill mostly matches its stated purpose, but it needs review because it handles powerful Microsoft account permissions, exposes a raw access-token command, and includes unsafe LLM automation examples.

Review this before installing if you are not comfortable granting read/write access to Outlook mail and calendars. Protect the local token file, avoid using or logging the token-printing command, confirm any move/create/delete action before execution, and do not send mailbox or calendar contents to an external LLM unless the user explicitly approves that data sharing.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (23)

Lp3

Medium
Category
MCP Least Privilege
Confidence
90% confidence
Finding
The skill declares no permissions even though its detected capabilities include file read/write, network access, and shell execution. That creates a serious transparency and containment problem: a user or platform may authorize an email/calendar skill expecting Microsoft Graph-only behavior while the implementation can access local files, invoke commands, and make arbitrary outbound requests.

Tp4

High
Category
MCP Tool Poisoning
Confidence
94% confidence
Finding
The documented purpose is limited to reading/managing Outlook mail and creating/listing calendar items, but the detected behavior expands into deleting calendar events, mailbox-wide search, listing calendars, fetching full event details, and marking messages as read. These undeclared side effects and broader data access are dangerous because they can modify user state, expose more sensitive information than expected, and bypass informed consent for destructive or privacy-impacting actions.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The contribution guide documents calendar event deletion functions (`cmd_delete()`) even though the stated skill metadata says the skill should only list and create calendar events. This capability mismatch is dangerous because it can lead contributors to preserve or extend destructive calendar operations that users and reviewers would not expect from the declared skill scope.

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The documentation states the skill 'never deletes' email while instructing users to grant `Mail.ReadWrite`, a scope that also permits message deletion and other mailbox modifications. This is a security-relevant mismatch because users may consent under false assumptions about the skill's effective capabilities.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
Exposing a dedicated command to print the raw Microsoft Graph access token broadens the skill from email/calendar operations into general credential extraction. Any caller, wrapper, log collector, or chained tool that can invoke this command can obtain a bearer token usable directly against Microsoft Graph, potentially enabling unauthorized mailbox and calendar access within the granted scopes.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The file implements `delete` functionality for calendar events even though the declared skill description only mentions listing and creating calendar events. This capability expansion increases the destructive scope of the skill and can enable unintended or unauthorized deletion if higher-level policy or user expectations are based on the published description.

Description-Behavior Mismatch

Medium
Confidence
98% confidence
Finding
The `read` command performs an additional state-changing action by calling `graph_api.graph_patch(..., {"isRead": True})` after fetching the message. That means a supposedly read-only operation modifies mailbox state without explicit user consent or clear disclosure, which can alter audit trails, downstream workflows, and user expectations in an email-management context.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The usage header documents `read <message_id>` as a read operation, but the implementation also marks the message as read. This mismatch is dangerous because operators, orchestrators, or calling agents may invoke the command under the assumption that it is non-mutating, causing unintended mailbox changes and violating the principle of least surprise for a mail skill.

Description-Behavior Mismatch

Medium
Confidence
76% confidence
Finding
The skill documentation exposes calendar deletion even though the manifest description does not declare it, creating a capability mismatch for a destructive action. This can bypass operator expectations, safety review, or consent flows that rely on manifest-declared scope, increasing the chance of unintended data deletion.

Missing User Warnings

Medium
Confidence
79% confidence
Finding
The README explicitly states that OAuth tokens are stored locally but does not warn users that refresh tokens are sensitive long-lived credentials that can enable ongoing mailbox and calendar access if stolen. In a skill handling email and calendar data, insufficient guidance around token protection increases the chance of accidental credential exposure through weak file permissions, backups, or shared machines.

Missing User Warnings

Medium
Confidence
81% confidence
Finding
The README highlights read/write mailbox and calendar features, including moving messages and creating events, without clearly warning that these operations can modify user data and may be hard to reverse. In the context of personal email and calendar access, lack of prominent warnings can lead users to grant broad permissions or trigger destructive actions without appreciating the consequences.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The README explicitly demonstrates sending formatted inbox/email/calendar context to an external LLM without any warning about data sensitivity, consent, redaction, or third-party processing. Because this skill handles Outlook and Microsoft 365 personal data, the example normalizes exfiltration of potentially sensitive communications and calendar details to another service, which creates a real privacy and compliance risk.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The example shows taking model output and passing it to process_llm_response() to execute resulting commands, but provides no warning about validating, constraining, or requiring confirmation for actions. In a skill that can move emails and create calendar events, this enables unsafe automation where prompt injection, model hallucination, or malicious content in emails could trigger unintended mailbox or calendar modifications.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The code directly executes state-changing actions from LLM-produced JSON, including moving email and creating calendar events, without any confirmation, authorization gate, or validation that the action matches explicit user intent. Because LLM output is untrusted and can be influenced by prompt injection from email/calendar content or model error, this can cause unauthorized mailbox changes or calendar modifications.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The assistant bundles inbox and calendar contents into LLM context without any user-facing notice, consent, or minimization controls, which can expose sensitive personal or business data to an external model provider. In an Outlook/Graph skill, email subjects, senders, dates, and event details are often highly sensitive, so silent transmission materially increases privacy and data-handling risk.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The setup guide asks for broad delegated permissions to read and modify email and calendar data without an upfront privacy and data-impact warning. In a skill handling personal communications and schedules, lack of clear disclosure increases the risk of over-consent and user misunderstanding about sensitive data access.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
Printing the access token directly to stdout risks credential leakage through shell history, terminal scrollback, process capture, logs, CI output, or agent telemetry. Because OAuth bearer tokens are sufficient for API access without additional proof of possession, anyone who sees the token can act as the user until expiry and possibly chain with refresh capability elsewhere.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The command silently changes message state during a read path, with no prior warning in usage output or user-facing disclosure. In the context of an Outlook/Microsoft 365 skill, this is more dangerous because read/unread state is user-visible, may drive notification behavior or triage workflows, and can mislead the user into believing no mutation occurred.

Vague Triggers

Medium
Confidence
80% confidence
Finding
The trigger text is broad enough to match many generic email/calendar requests, which can cause the skill to be invoked more often than intended. In a skill with mailbox and calendar write capabilities, overbroad activation increases the risk of unnecessary access to sensitive messages or accidental state-changing actions.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
Deleting calendar events is a destructive operation, and the documentation provides no explicit warning or confirmation requirement. In this context, a mistaken invocation could remove important appointments, causing data loss and real-world disruption.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
Reading a message also marks it as read, which is a mailbox-modifying side effect rather than a purely read-only action. Without a prominent warning, users or orchestrators may unintentionally alter message state, affecting workflows, triage, or audit expectations.

Natural-Language Policy Violations

Medium
Confidence
84% confidence
Finding
Hard-coding America/New_York as the default timezone can create events at incorrect times for users in other regions. In a calendar-management skill, this can lead to missed meetings, scheduling confusion, and unintended invitations at the wrong local time.

Known Vulnerable Dependency: pytest — 1 advisory(ies): CVE-2025-71176 (pytest has vulnerable tmpdir handling)

Low
Category
Supply Chain
Confidence
81% confidence
Finding
pytest

VirusTotal

55/55 vendors flagged this skill as clean.

View on VirusTotal