Back to skill
Skillv1.1.0
VirusTotal security
m365cli · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
ReviewMay 1, 2026, 5:11 AM
- Hash
- d7cc3b935ebdf786388de0aa0d996cada0f760f2556b0f3c2235119e6293107d
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: m365cli Version: 1.1.0 The skill manages sensitive Microsoft 365 data using an unofficial CLI tool (`m365-cli` by `mrhah`) instead of the industry-standard `@pnp/cli-microsoft365`, posing a potential supply chain risk. While `SKILL.md` includes proactive security measures—such as a 'Trusted Senders Whitelist' to mitigate prompt injection from email bodies and explicit prohibitions against accessing `~/.m365-cli/credentials.json`—the use of a non-standard binary for handling OAuth-authenticated sessions is inherently risky. Additionally, the `_meta.json` file contains an anomalous future-dated timestamp (2026).
- External report
- View on VirusTotal