v1.1.0

m365cli

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 6:21 AM.

Analysis

This is a coherent Microsoft 365 management skill, but it needs careful review because it grants broad work-account access and documents forceful changes to corporate mail, files, calendar, and SharePoint data.

GuidanceInstall this only if you want the agent to manage a work Microsoft 365 account. Verify the npm package, use the least-privileged account/scopes, avoid granting SharePoint Sites.ReadWrite.All unless necessary, require explicit approval for every destructive or sending action, avoid routine --force use, and review/logout stored credentials and trusted-sender entries when done.

Findings (6)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation

SeverityHighConfidenceHighStatusConcern

SKILL.md

**Deleting emails/files/events**: Inform the user before executing. ... `m365 mail delete <id> --force --json` ... `m365 od rm "old-file.txt" --force --json`

The skill documents destructive account operations and shows examples that skip CLI confirmation; merely informing the user is weaker than requiring explicit approval.

User impactAn agent using this skill could delete or move corporate email and files, change calendar data, or perform other account mutations with limited built-in review.

RecommendationRequire explicit user confirmation before any send, delete, move, share, upload, or calendar mutation, and avoid --force unless the user specifically approves that exact action.

Agent Goal Hijack

SeverityMediumConfidenceHighStatusConcern

SKILL.md

Only emails from whitelisted senders have their body content displayed. ... Use `--force` to temporarily bypass ... `m365 mail read <id> --force --json`

The skill acknowledges email-body prompt-injection risk, but the quick read example bypasses the sender whitelist by default.

User impactUntrusted email content could be pulled into the agent context and attempt to redirect the agent’s behavior.

RecommendationDo not use --force for routine email reading; only read full bodies for specific user-requested messages, and treat all email content as untrusted data.

Agentic Supply Chain Vulnerabilities

SeverityLowConfidenceHighStatusNote

SKILL.md

install: npm install -g m365-cli ... Package: `https://www.npmjs.com/package/m365-cli` ... Publisher: `mrhah`

The skill depends on a globally installed external npm CLI package; this is central to the stated purpose, but the artifact does not pin a package version.

User impactInstalling the package gives local execution capability to whatever version npm resolves at install time.

RecommendationVerify the npm package and publisher, consider pinning a known version, and install it manually only if you trust that package.

Human-Agent Trust Exploitation

SeverityLowConfidenceHighStatusNote

metadata

Required binaries (all must exist): none ... Primary credential: none ... No install spec — this is an instruction-only skill.

The registry metadata does not declare the m365 binary, npm install step, or Microsoft login that the SKILL.md itself requires.

User impactA user relying only on registry metadata may underestimate the setup and account access required.

RecommendationTreat the SKILL.md prerequisites as authoritative and prefer metadata that accurately declares the required binary, install command, and account authentication.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse

SeverityHighConfidenceHighStatusConcern

references/commands.md

Work account default scopes: `Mail.ReadWrite`, `Mail.Send`, `Calendars.ReadWrite`, ... `Files.ReadWrite`, ... `offline_access` ... SharePoint scope ... `Sites.ReadWrite.All`

The documented Microsoft 365 permissions allow broad delegated read/write access, mail sending, persistent refresh, and optional tenant-wide SharePoint read/write access.

User impactIf authorized, the skill can act with substantial authority over a work Microsoft 365 account and, with SharePoint consent, across organizational sites.

RecommendationUse the least-privileged account and scopes possible, do not grant Sites.ReadWrite.All unless it is truly needed, and revoke/logout credentials when finished.

Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Memory and Context Poisoning

SeverityMediumConfidenceHighStatusNote

SKILL.md

Whitelist file: `~/.m365-cli/trusted-senders.txt` ... `m365 mail trust @example.com`

The skill uses persistent trust state that can cause future email bodies, including an entire trusted domain, to be shown to the agent.

User impactOverly broad trusted-sender entries could expose more email body content to the agent and increase prompt-injection exposure in later tasks.

RecommendationKeep the trusted-sender list narrow, prefer individual senders over whole domains, and periodically review or remove trusted entries.