Outlook

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed Outlook API guide for Maton Gateway, but it can access and change sensitive mailbox, calendar, and contact data.

Install only if you intend to connect Outlook through Maton Gateway. Treat MATON_API_KEY as a secret, avoid logging or committing it, review active Maton connections, and require confirmation before sending email or deleting/moving messages, folders, events, or contacts.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The skill documents destructive Outlook operations such as deleting mail folders without any warning, confirmation guidance, or discussion of irreversible consequences. In an agent skill context, this increases the risk that users or downstream agents invoke data-destructive actions casually, leading to unintended loss of mailbox structure or content.

Missing User Warnings

Medium

Confidence: 87% confidence
Finding: The document instructs users to export and use a bearer API key that grants access to Outlook account data, but it does not include any privacy, scope, storage, or secret-handling warnings. This omission can lead to credential leakage, overbroad use of account access, or inadvertent exposure of sensitive email, calendar, and contact data.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal