ClawHub

Microsoft 365 People

Security checks across malware telemetry and agentic risk

Overview

This skill is mostly a disclosed Microsoft 365 People integration, but it gives an agent broad authenticated API access without enough scoping or confirmation guidance.

Review this before installing in a work tenant. Only use it if Membrane is approved for your organization, verify the Microsoft consent scopes, and require explicit approval for any POST, PUT, PATCH, or DELETE request. Prefer read-only discovered actions unless you intentionally want the agent to modify Microsoft 365 data.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (4)

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The skill explicitly exposes a generic proxy interface that supports arbitrary HTTP methods, including POST, PUT, PATCH, and DELETE, even though the manifest frames the skill as a Microsoft 365 People integration. This broadens the operational scope from reading people data to potentially modifying or deleting data through Microsoft Graph-adjacent endpoints, which can lead to unintended state changes if the agent selects the proxy path without clear constraints or confirmation.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The connection setup instructions use `membrane connection ensure "" --json` and describe creating a connection by arbitrary app URL or domain, which is much broader than a Microsoft 365 People-specific skill. This scope mismatch can cause the agent to establish connections to unintended third-party apps, increasing the chance of misuse, wrong-tool activation, or access to data outside the skill's declared purpose.

Vague Triggers

Medium
Confidence
83% confidence
Finding
The activation description says to use the skill when the user wants to interact with Microsoft 365 People data, while also claiming to manage data, records, and automate workflows. That wording is broad enough to match many loosely related enterprise or Microsoft 365 tasks, increasing the risk that an agent invokes this skill in situations beyond its safe or intended scope.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The proxy request section documents direct API access with destructive HTTP methods but provides no warning about write/delete effects or requirement for explicit user approval. In an agent setting, this increases the risk of silent or accidental modification of external systems because the documentation normalizes unsafe operations alongside read-only queries.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal