ClawHub

Outlook Mcp

Security checks across malware telemetry and agentic risk

Overview

This Outlook integration is mostly coherent and disclosed, but it gives an agent live account control plus broad local file and token persistence behavior that users should review carefully.

Install only if you are comfortable giving an agent access to your personal Outlook data. Start with read_only=true, grant only specific allow_categories when needed, avoid automatic email sending/deletion, do not let the agent choose arbitrary attachment save paths, and use encrypted OS credential storage for OAuth tokens, especially on Linux.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Rogue AgentSelf-Modification, Session Persistence
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (7)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill declares installation and runtime behavior that clearly involves shell execution, network access, and local file reads/writes, but it does not surface an explicit permissions declaration or warning in the skill manifest. That gap can cause users or orchestration layers to underestimate the trust boundary and approve a skill that can modify local state and reach external services.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The plan adds a debug-proxy workflow that captures full outbound agent request bodies, including tool metadata and potentially sensitive prompt/context data, even though the plugin's purpose is only to expose Outlook tools. This expands the data-exposure surface beyond the stated functionality and can leak private mail-related content or tokens if captures are mishandled.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill exposes many live-state modifying operations across mail, calendar, contacts, tasks, drafts, and folders, but the document does not prominently warn that actions affect a real personal Outlook account. In an agent setting, this increases the chance of unintended sends, deletions, moves, or event/contact changes caused by prompt confusion or automation mistakes.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The documentation states that attachments can be downloaded and saved to a file, but it does not give a user-facing warning that decoded mailbox content will be written to the local filesystem. That omission raises the risk of accidental data exposure, unsafe file placement, or later execution/opening of sensitive or malicious attachments by downstream tooling or users.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The plan instructs operators to enable interception of outbound requests and inspect captured bodies without any privacy notice, data-minimization guidance, or warning that prompts, tool arguments, and Outlook-derived content may be recorded. In this context, the intercepted traffic can include highly sensitive personal communications and account metadata.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
download_attachment writes decoded attachment bytes directly to a caller-controlled save_path after only checking for '..'. That is insufficient because absolute paths, symlinks, special files, and arbitrary writable locations are still allowed, so an agent or prompt-injected workflow could overwrite local files without meaningful constraint or confirmation.

Session Persistence

Medium
Category
Rogue Agent
Content
prompt_callback=None,
        auth_record: AuthenticationRecord | None = None,
    ) -> DeviceCodeCredential:
        """Create a DeviceCodeCredential with persistent cache."""
        global _warned_unencrypted_fallback
        cache_options = TokenCachePersistenceOptions(
            name=CACHE_NAME,
Confidence
96% confidence
Finding
Create a DeviceCodeCredential with persistent cache.""" global _warned_unencrypted_fallback cache_options = TokenCachePersistenceOptions( name=CACHE_NAME, allow

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal