ClawHub

Microsoft 365 MCP Server

Security checks across malware telemetry and agentic risk

Overview

This Microsoft 365 integration is legitimate in purpose, but it asks for tenant-wide Microsoft Graph access and exposes read/write actions without clear guardrails.

Install only if you are comfortable giving an agent broad Microsoft 365 authority. Prefer a dedicated low-privilege Azure app, least-privilege or delegated permissions where possible, restricted users/resources, protected secret storage, logging, and explicit human approval before any send/post/create action.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (6)

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The skill exposes a very broad set of Microsoft 365 capabilities across mail, calendar, files, tasks, Teams, and directory data with no in-code authorization boundaries, scope restrictions, or purpose limitation. In an agent context, this creates an over-privileged interface that can be abused to read sensitive data or perform actions across multiple services if the MCP client or prompting layer is compromised or misused.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The README advertises capabilities to read mail, files, chats, user data, and to send messages or modify calendars/tasks, but it does not warn users that this server can access and alter sensitive Microsoft 365 tenant data. In an MCP/agent context, exposing these actions without clear safety boundaries increases the chance of overbroad deployment, misuse, or accidental data access and modification.

Missing User Warnings

High
Confidence
98% confidence
Finding
The setup instructions tell users to grant broad Microsoft Graph application permissions and admin consent, including tenant-wide read/write scopes for mail, files, chats, tasks, calendars, and users, without warning about the resulting organization-wide access. Application permissions with admin consent can enable this server to act across the tenant non-interactively, making compromise or misuse highly impactful.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill advertises broad Microsoft 365 capabilities across mail, files, chats, calendars, tasks, and users, including both read and write operations, but does not warn users that enabling it grants access to sensitive organizational data and allows external side effects such as sending mail or Teams messages. In the context of an agent skill, this omission is dangerous because users may connect high-privilege Graph permissions without understanding the confidentiality and integrity risks of agent-driven actions.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The documentation tells users to create a client secret and place it in configuration/environment settings, but it provides no guidance on secure secret storage, rotation, access control, or avoiding accidental disclosure in files, logs, or version control. Because the same setup also requests powerful application permissions, exposure of this secret could enable broad unauthorized access to Microsoft 365 data and actions.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The server directly executes tool calls that can send email, create events and tasks, and post Teams messages without any confirmation, policy validation, or human approval step. In an LLM-agent setting, this makes prompt injection, user confusion, or tool misuse materially more dangerous because the agent can perform external side effects immediately.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal