ClawHub

Outlook for Work/School 365

Security checks across malware telemetry and agentic risk

Overview

This Outlook skill appears legitimate, but it grants persistent mail/calendar write and send access and includes high-impact commands without built-in safeguards.

Install only if you are comfortable granting this skill the ability to read, modify, delete, and send Outlook mail and modify calendar events. Keep ~/.outlook-mcp private, avoid using the token-printing command, confirm sends/deletes/calendar changes manually, save attachments only to a safe directory, and revoke the Azure app or tokens when you no longer need the skill.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (14)

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The download command writes remote attachment content from Outlook directly to an arbitrary local path, which expands the skill from mailbox management into filesystem modification. This increases risk because a prompt or agent action can persist attacker-controlled files locally without any confirmation, path restriction, or validation of filename/content.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The script requests Mail.ReadWrite, Mail.Send, and Calendars.ReadWrite even though the skill description emphasizes reading, searching, and managing mail/calendar in a broad way and does not justify full write/send access as the default setup. Overbroad OAuth scopes violate least privilege and, if the skill or host is compromised, enable mailbox modification, message sending, and calendar tampering rather than simple read-only access.

Context-Inappropriate Capability

Low
Confidence
84% confidence
Finding
The script adds User.Read even though that permission is not described in the skill purpose shown to the user. While User.Read is common and relatively limited, adding undocumented permissions expands access and erodes informed consent.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The `get` command prints the bearer access token directly to stdout, creating an easy exfiltration path for any caller, wrapper, shell history capture, logs, or downstream tool output. In the context of an Outlook/Graph skill, this token can grant mail read/write, send-mail, and calendar access, which exceeds what should be exposed through a simple helper script interface.

Vague Triggers

Medium
Confidence
80% confidence
Finding
The trigger description is very broad and overlaps with many ordinary conversations about email, inboxes, Outlook, calendars, and scheduling. That increases the chance the skill is invoked in contexts where the user did not intend to grant mailbox/calendar access, which is especially sensitive given the skill can read private content and send or delete messages.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill documents destructive and state-changing actions such as delete, archive, move, send, reply, forward, and calendar deletion without any confirmation or warning requirements. In an agent setting, this can lead to accidental data loss, unintended communications, or unauthorized calendar changes if the skill is triggered ambiguously or a prompt is misinterpreted.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The setup and usage sections describe mailbox access, attachment handling, token management, and saved credentials but omit clear privacy and data-handling warnings. Because the skill interfaces with highly sensitive personal and organizational communications, failing to warn users about the scope of access and local secret storage increases the risk of unintended exposure and poor operational hygiene.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The delete command performs a destructive action immediately after resolving an event ID, with no confirmation prompt, dry-run mode, or secondary validation of the target event. In an agent skill context, this increases the risk of accidental or mis-targeted deletion from ambiguous user input, especially because IDs are matched by suffix and the script lists only a subset of events when resolving the full ID.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The script writes decoded attachment content to disk immediately with no warning, confirmation, or constrained destination. In an agent setting, this can silently create files from untrusted email content, enabling persistence, overwriting user files, or planting unsafe artifacts.

Missing User Warnings

High
Confidence
96% confidence
Finding
delete-folder performs irreversible or hard-to-recover mailbox modification without any confirmation barrier. In an agent context, a mistaken instruction, prompt injection from email content, or ambiguous user request could destroy mailbox organization at scale.

Missing User Warnings

High
Confidence
95% confidence
Finding
bulk-delete can move many messages to trash in one action without confirmation, preview, or per-item validation. This magnifies the blast radius of accidental or manipulated execution and can lead to significant mail loss or operational disruption.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script writes the OAuth client secret and tenant information to a local config file, and later stores OAuth tokens on disk, without prominently warning the user that persistent credentials will remain on the machine. Persistent secrets materially increase exposure to local compromise, backups, malware, or other users on the same system.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The script grants high-impact Microsoft Graph permissions that allow mailbox and calendar changes and message sending, but it does not clearly warn the user that the tool will be able to modify email, send messages, and alter calendar data. In a setup script, hidden or underexplained privilege escalation is dangerous because users may consent assuming read-only behavior.

Missing User Warnings

Medium
Confidence
99% confidence
Finding
Printing the access token to stdout exposes a live secret in a channel commonly captured by terminals, process supervisors, agent logs, CI output, and chat transcripts. Because this skill manages Outlook email and calendar through Microsoft Graph, disclosure of the token can enable unauthorized mailbox access, email sending, and calendar manipulation for the token's scope and lifetime.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal