ClawHub

agent-teams

Security checks across malware telemetry and agentic risk

Overview

This Teams skill appears purpose-built, but it needs review because it can silently pull your local Teams session token and act through your account.

Install only if you are comfortable giving an agent access to your Teams account through your existing desktop session. Use a test or low-risk account where possible, avoid sensitive teams and files, and know how to remove ~/.config/agent-messenger/teams-credentials.json, ~/.config/agent-messenger/MEMORY.md, and any saved team-snapshot JSON files when done.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Rogue AgentSelf-Modification, Session Persistence
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (15)

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The skill prominently states that credentials are extracted automatically from the local Teams desktop app and that authentication happens silently in the background, but this highly sensitive behavior is omitted from the manifest description. Silent token extraction from a local app materially changes the trust and privacy model because invoking seemingly ordinary commands can access local authentication artifacts without explicit user awareness.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The skill prominently states that credentials are extracted automatically from the local Teams desktop app and that authentication happens silently in the background, but this highly sensitive behavior is omitted from the manifest description. Silent token extraction from a local app materially changes the trust and privacy model because invoking seemingly ordinary commands can access local authentication artifacts without explicit user awareness.

Description-Behavior Mismatch

Medium
Confidence
86% confidence
Finding
The documentation explicitly states that the skill authenticates by extracting a live Microsoft Teams user token from the desktop application's local data. That expands the skill's effective scope from normal Teams interaction into credential harvesting and local file access, which is security-sensitive because it enables impersonation of the user and access to all Teams resources available to that account.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
This section instructs the tool to read the Teams desktop application's SQLite cookie database and extract the `skypetoken_asm` session token. Pulling reusable auth tokens from another application's cookie store is credential theft behavior in practice, and if abused it allows the tool or any compromise of its storage to act as the user in Teams.

Context-Inappropriate Capability

Medium
Confidence
87% confidence
Finding
The script performs authentication refreshes automatically as part of a read-oriented summary workflow, which expands its scope from passive reporting into auth-state mutation. In this skill context, that matters because running a seemingly harmless summary command can trigger credential refresh or interactive re-auth behavior, surprising the user and increasing the blast radius of the operation.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
A script advertised as generating a summary silently writes the full Teams snapshot to disk, which may include channel metadata, member information, and recent message content far beyond what is displayed. Persisting this sensitive collaboration data creates unnecessary local exposure through backups, shared workstations, loose file permissions, or later collection by other processes.

Missing User Warnings

High
Confidence
97% confidence
Finding
The skill tells users that running any command can silently trigger credential extraction from the Teams desktop app, yet it does not require a clear prior warning or consent. This is dangerous because normal read/list operations become implicit access to local authentication material, enabling surprise credential harvesting and unauthorized Teams access under the user's identity.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill documents on-disk storage of Teams credentials and team metadata, but the warning is weak relative to the sensitivity of the data and does not clearly explain persistence risks, local compromise implications, or cleanup expectations. Persistent storage of bearer-style tokens and account context can enable account misuse if the host or home directory is later accessed by another process or user.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The examples at this location retrieve recent Teams messages and print authors and message content directly to stdout. In an agent skill, that can expose potentially sensitive business communications, PII, or secrets to logs, terminals, or downstream systems without any warning, minimization, or redaction guidance.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The script echoes the full message body to stdout immediately before sending it, which can disclose sensitive content into terminal scrollback, CI/CD logs, shell history capture tools, or centralized log collectors. In the context of a Teams messaging skill, message bodies may contain incident details, credentials, links, customer data, or internal operational information, so logging them by default creates an avoidable confidentiality risk.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The script stores a full Teams JSON snapshot locally without explicit notice or consent, creating a privacy and data-handling issue even if the file is only local. In a Teams integration, the snapshot can contain internal names, email addresses, channel structure, and message excerpts, so silent persistence materially increases the chance of unintended disclosure.

Unrestricted Tool Access

Medium
Category
Excessive Agency
Content
## Authentication

Credentials are extracted automatically from the Teams desktop app on first use. No manual setup required — just run any command and authentication happens silently in the background.

Teams tokens expire in 60-90 minutes. The CLI automatically re-extracts a fresh token when the current one expires, so you don't need to manage token lifecycle manually.
Confidence
88% confidence
Finding
run any command

Credential Access

High
Category
Privilege Escalation
Content
4. Extracts `skypetoken_asm` cookie value
5. Validates token against Teams API before saving
6. Discovers ALL joined teams
7. Stores credentials securely in `~/.config/agent-messenger/teams-credentials.json`

### Platform-Specific Paths
Confidence
95% confidence
Finding
credentials.json

Session Persistence

Medium
Category
Rogue Agent
Content
## Memory

The agent maintains a `~/.config/agent-messenger/MEMORY.md` file as persistent memory across sessions. This is agent-managed — the CLI does not read or write this file. Use the `Read` and `Write` tools to manage your memory file.

### Reading Memory
Confidence
89% confidence
Finding
write this file. Use the `Read` and `Write` tools to manage your memory file. ### Reading Memory At the **start of every task**, read `~/.config/agent-messenger/MEMORY.md` using the `Read` tool to l

Session Persistence

Medium
Category
Rogue Agent
Content
## Manual Token Management (Advanced)

If automatic extraction fails, you can manually create the credentials file:

```bash
# Create config directory
Confidence
91% confidence
Finding
create the credentials file: ```bash # Create config directory mkdir -p ~/.config/agent-messenger # Create credentials file cat > ~/.config/agent-messenger/teams-credentials.json << 'EOF' { "token

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal