ClawHub

outlook-microsoft

Security checks across malware telemetry and agentic risk

Overview

This Outlook skill appears purpose-built, but it can modify mailbox and calendar data and stores OAuth credentials locally without enough safety guidance.

Review before installing. Use it only with an Azure app and mailbox/calendar you are comfortable allowing an agent to modify, restrict Graph permissions where possible, protect ~/.outlook-microsoft and any .env file with user-only permissions, never commit those files, and revoke tokens or rotate the client secret if they may have been exposed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (7)

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill exposes powerful capabilities including environment access, local file read/write, shell execution, and network access, but does not declare any explicit permissions or safety boundaries. This increases the chance that a host agent or reviewer will underestimate its reach, enabling unexpected access to OAuth tokens, local config files, and mailbox/calendar operations.

Tp4

High
Category
MCP Tool Poisoning
Confidence
91% confidence
Finding
The description presents the skill as a mailbox/calendar management tool, but the documented behavior includes broader and more sensitive operations such as deleting messages/events, token lifecycle management, and other state-changing actions not clearly disclosed in the top-level purpose. This mismatch can mislead users and orchestrators into granting trust to a skill that can perform destructive or credential-adjacent actions.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The documentation advertises destructive actions such as deleting mail and deleting calendar events without any warning, approval step, or confirmation requirement. In an agent setting, that omission materially raises the risk of accidental or prompt-induced destructive actions against real user data.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The guide explicitly instructs users to place `OUTLOOK_CLIENT_SECRET` in a `.env` file but does not warn about restricting file permissions, avoiding source control, or using a secret manager. Because this skill handles Microsoft 365 mail and calendar access, leakage of the secret can enable unauthorized token acquisition or broaden compromise when combined with tenant and client IDs.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
OAuth access tokens, refresh tokens, and optionally client secrets are written to disk in JSON files under the user's home directory without any permission hardening or user warning. On multi-user systems or misconfigured environments, local users, backup systems, or other software may read these files and gain persistent access to the user's mailbox and calendar.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The delete operation permanently triggers a state-changing action against the user's mailbox with no confirmation, dry-run, or safety interlock in the script. In an agent skill context, this increases the chance of accidental or prompt-induced destructive actions that can delete user data without a meaningful pause for verification.

Credential Access

High
Category
Privilege Escalation
Content
- 配置文件:`~/.outlook-microsoft/`
  - `config.json` - Client ID、Secret、Tenant ID
  - `credentials.json` - OAuth Token(自动管理)
- 安装指南:[references/setup.md](references/setup.md)
Confidence
90% confidence
Finding
credentials.json

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal