ClawHub

Ms Todo Oauth

Security checks across malware telemetry and agentic risk

Overview

This skill is a coherent Microsoft To Do CLI, but it handles OAuth credentials and task data in ways users should review before installing.

Install only if you are comfortable granting Microsoft To Do read/write access. Prefer creating your own Azure app credentials, avoid pasting authorization codes into shared chats when possible, protect or delete ~/.mstodo_token_cache.json when done, review exported JSON files as sensitive data, and do not use -y delete commands unless the exact task or list has been confirmed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (11)

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The script embeds a fallback OAuth client secret directly in source code. Any user or downstream consumer of the skill can recover and reuse that secret to impersonate the application, abuse its Microsoft Graph registration, and undermine secret rotation and tenant trust boundaries.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The export command writes full task contents, including notes, categories, dates, and potentially sensitive personal or work information, to a local JSON file without a strong warning. Users and agents may inadvertently create unprotected local data copies that persist beyond the session and are accessible to other processes or users on the machine.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The quick reference prominently documents destructive delete commands, including a force flag that bypasses confirmation, without any nearby warning that these actions irreversibly remove task lists or tasks. In an agent-operated context, concise command references are likely to be copied directly into automation, increasing the chance of accidental mass deletion or unintended destructive actions.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
OAuth tokens are serialized to a predictable file in the user's home directory with no permission hardening or prominent warning. On multi-user systems, shared environments, backups, or compromised endpoints, this can expose bearer tokens that grant Microsoft To Do access without reauthentication.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The export command writes full task contents, including titles, notes, dates, and categories, to a local JSON file without safety prompts or path restrictions. Since task data often contains personal or business-sensitive information, this can lead to accidental disclosure through shared directories, source-control commits, or insecure storage.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The default live test flow performs destructive operations against a real Microsoft To Do account, including deleting tasks and a list, and uses -y to suppress confirmations. This is dangerous because a user can run the suite expecting validation and unintentionally modify or remove live data with little runtime warning.

Missing User Warnings

Low
Confidence
88% confidence
Finding
The test suite exports tasks to a JSON file on disk during the default live flow without a prominent user-facing disclosure. Because task data may contain sensitive personal information, writing it to local storage can create unintended persistence and exposure through backups, shared directories, or later misuse.

Ssd 3

Medium
Confidence
95% confidence
Finding
The skill instructs the agent to ask the user for the OAuth authorization code and receive it back through the conversation. Authorization codes are sensitive authentication artifacts; routing them through the agent increases exposure in chat logs, telemetry, prompt history, or downstream tooling, and may enable token theft if mishandled.

Ssd 3

Medium
Confidence
96% confidence
Finding
The recommended workflow operationalizes collection of the user's authorization code by telling the agent to wait for and ingest it before running login verification. This creates a repeatable sensitive-data handling pattern that unnecessarily exposes ephemeral but valuable credentials to the agent layer.

Unpinned Dependencies

Low
Category
Supply Chain
Content
msal>=1.34.0

# HTTP library for API requests
requests>=2.32.5
Confidence
94% confidence
Finding
requests>=2.32.5

Known Vulnerable Dependency: requests — 10 advisory(ies): CVE-2014-1830 (Exposure of Sensitive Information to an Unauthorized Actor in Requests); CVE-2024-47081 (Requests vulnerable to .netrc credentials leak via malicious URLs); CVE-2024-35195 (Requests `Session` object does not verify requests after making first request wi) +7 more

High
Category
Supply Chain
Confidence
98% confidence
Finding
requests

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal