Full access to all Exchange 2010 EWS functions, should work with other EWS Open Source

Security checks across malware telemetry and agentic risk

Overview

This appears to be a legitimate Exchange integration, but it gives an agent broad live mailbox authority with weak guardrails and unsafe attachment file handling.

Install only if you intend to give the agent broad Exchange access. Use least-privilege credentials, verify the PICARD_PASSWORD versus EXCHANGE_PASSWORD mismatch before use, remove organization-specific defaults, protect the credentials file, require explicit confirmation before sending mail or changing/deleting Exchange data, and restrict attachment downloads to a safe directory with sanitized filenames.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (11)

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill advertises destructive capabilities such as updating and deleting calendar events, marking mail as read, modifying out-of-office settings, and deleting tasks without any explicit warning, confirmation guidance, or scope limitations. In an agent setting, this increases the risk of accidental or unauthorized state-changing actions against a user's mailbox and calendar, especially if the agent is prompted ambiguously or operates on shared resources.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The skill explicitly exposes access to shared calendars/mailboxes and directory/contact resolution (GAL) without any privacy, authorization, or data-handling warning. In practice, this can enable unintended access to other users' schedules, mailbox content, and organizational directory information if an agent is given broad Exchange permissions or delegates are misconfigured.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: This function performs a state-changing action against a live Exchange calendar with no built-in confirmation, authorization gate, or dry-run protection. In an agent setting, that makes accidental or prompt-induced unauthorized event creation plausible, especially because the skill exposes direct write primitives to a sensitive enterprise system.

Missing User Warnings

High

Confidence: 98% confidence
Finding: This function can send outbound email immediately using stored Exchange credentials, without any confirmation, recipient restrictions, or content validation. In an agent context, that enables phishing, data exfiltration, spam, or reputational harm if a prompt or upstream tool invocation causes unintended sending.

Missing User Warnings

High

Confidence: 97% confidence
Finding: This function irreversibly deletes calendar events with no confirmation, ownership verification, or recovery guardrails. In a delegated Exchange environment, accidental or malicious invocation could disrupt schedules, destroy records, or impact other users' shared calendars.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The function writes untrusted attachment content to local temporary files without user confirmation and leaves paths in results, increasing the risk of unintended local persistence of sensitive or malicious files. In an agent environment, this expands the attack surface for disk exhaustion, sensitive data leakage, and follow-on processing of attacker-supplied files.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: This function creates tasks in Exchange without any confirmation or approval mechanism. While less severe than email sending or deletion, it still permits unauthorized state changes that could clutter workflows, create misleading records, or be abused for social engineering inside a corporate account.

Missing User Warnings

High

Confidence: 96% confidence
Finding: This function deletes tasks with no confirmation, undo support, or authorization checks beyond whatever Exchange permits. In an autonomous-agent context, destructive task deletion can remove work tracking and evidence of actions, causing operational disruption and loss of information.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: This function downloads email attachments to an arbitrary path on disk without warning, enabling uncontrolled file writes from untrusted email content. In a skill that processes enterprise mail, that is dangerous because attachments may be sensitive or malicious, and arbitrary local writes can expose data or facilitate later misuse.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: This function updates existing calendar events directly, without any confirmation, change preview, or mailbox-specific authorization guardrails. In delegated/shared-calendar scenarios, unauthorized or mistaken updates can alter schedules, mislead attendees, and disrupt operations.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: This function changes Out of Office settings immediately, which can affect business communications and leak messaging externally if misused. In an enterprise Exchange integration, an agent altering OOF state without confirmation could cause missed communications, social-engineering opportunities, or reputational harm.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal