Back to skill

Security audit

Microsoft 365 MCP Server

Security checks across malware telemetry and agentic risk

Overview

This appears to be a legitimate Microsoft 365 integration, but it requests tenant-wide Microsoft Graph access and exposes read/write actions without enough scoping or confirmation controls.

Install only if you are an authorized Microsoft 365 administrator and intend to grant broad tenant-wide Graph access. Prefer least-privilege or separate read-only/write deployments, store Azure credentials securely, enable audit logging, and add explicit approval controls before mail send, Teams send, calendar/task creation, or file-content reads.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (9)

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The README advertises capabilities to send email, send Teams messages, create calendar events, and create tasks, but it does not warn users that the server can perform actions as a user or service principal and modify organizational state. In an enterprise M365 context, omission of this warning increases the risk of accidental misuse, social engineering, or unsafe deployment because operators may not appreciate that the tool is not read-only.

Missing User Warnings

High
Confidence
97% confidence
Finding
The setup instructions tell users to grant broad Microsoft Graph application permissions including read/write access across mail, files, chats, calendars, and tasks, with admin consent, but provide no warning about the breadth of tenant-wide access or data sensitivity. Because these are application permissions, compromise or misuse could enable organization-wide data access and message sending without per-user interaction, making the documentation materially dangerous in context.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill advertises broad Microsoft 365 capabilities including reading mail, files, chats, user profiles, and sending emails/messages, but it does not warn users about the privacy, security, and organizational impact of granting the listed high-privilege Microsoft Graph application permissions. Because the setup explicitly requests tenant-wide application scopes and admin consent, a user could enable organization-wide data access and outbound communication without understanding the blast radius.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill reads tenant credentials from environment variables and immediately uses them to obtain an application access token for Microsoft Graph, enabling broad remote access to organizational data. There is no user-facing disclosure, consent gate, or scope restriction in the skill itself, so an agent can silently authenticate and act against mail, files, chats, calendars, and users once installed.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill exposes write-capable operations such as sending email, creating events/tasks, and sending Teams messages without any confirmation or policy check at execution time. In an agent setting, prompt injection or user confusion could cause unintended external communications or modifications to enterprise records, making this materially risky.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill retrieves OneDrive file metadata and then follows the Graph-provided download URL to read file contents, returning up to 50,000 characters to the caller without any disclosure or approval flow. In context, this is a direct data-exfiltration primitive for potentially sensitive enterprise documents, and the broad Microsoft 365 access elsewhere in the skill makes the risk more severe.

Unpinned Dependencies

Low
Category
Supply Chain
Content
"author": "Mahmoud Alkhatib",
  "license": "MIT",
  "dependencies": {
    "@modelcontextprotocol/sdk": "^1.0.0",
    "dotenv": "^16.3.1"
  },
  "devDependencies": {
Confidence
88% confidence
Finding
"@modelcontextprotocol/sdk": "^1.0.0"

Unpinned Dependencies

Low
Category
Supply Chain
Content
"license": "MIT",
  "dependencies": {
    "@modelcontextprotocol/sdk": "^1.0.0",
    "dotenv": "^16.3.1"
  },
  "devDependencies": {
    "@types/node": "^20.10.0",
Confidence
86% confidence
Finding
"dotenv": "^16.3.1"

Known Vulnerable Dependency: @modelcontextprotocol/sdk==1.0.0 — 2 advisory(ies): CVE-2026-0621 (Anthropic's MCP TypeScript SDK has a ReDoS vulnerability); CVE-2025-66414 (Model Context Protocol (MCP) TypeScript SDK does not enable DNS rebinding protec)

High
Category
Supply Chain
Confidence
97% confidence
Finding
@modelcontextprotocol/sdk==1.0.0

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.env_credential_access

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
src/index.ts:14