Back to skill
Skillv1.0.4
VirusTotal security
Ms Todo Oauth · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 28, 2026, 8:29 AM
- Hash
- 52824e7a45b04fb2322fc12081a3ac96778f47016f9c03ada088a3da29a4432b
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: ms-todo-oauth Version: 1.0.4 The skill is classified as suspicious due to a critical security vulnerability: the hardcoded Azure AD application client ID and client secret in `scripts/ms-todo-oauth.py`. While the `SKILL.md` documentation acknowledges this and suggests replacement, its presence in the distributed code makes the application highly susceptible to compromise if the secret is leaked or revoked. This is a significant flaw that allows potential attacks, rather than proof of intentional malicious behavior. All network calls are directed to `graph.microsoft.com`, and no other indicators of malice (e.g., data exfiltration to unauthorized endpoints, persistence mechanisms, or prompt injection attempts against the agent) were found.
- External report
- View on VirusTotal