Full access to all Exchange 2010 EWS functions, should work with other EWS Open Source

SuspiciousAudited by ClawScan on May 10, 2026.

Overview

The skill is a plausible Exchange mailbox manager, but its credential handling is inconsistent and includes undocumented hardcoded default account/server values that should be reviewed before use.

Review or fix the credential code before installing. Only use this skill with an Exchange account you are comfortable letting the agent read and modify, and require confirmation for sending email, deleting or updating calendar/task data, and changing out-of-office settings.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

NoteMedium Confidence

ASI01: Agent Goal Hijack

What this means

A crafted email could contain text that attempts to mislead the agent while the agent is summarizing or processing mailbox content.

Why it was flagged

The skill returns email body content to the agent. Email and attachment text can be untrusted content, so a malicious message could try to influence the agent if treated as instructions.

Skill content

'body': item.body,

Recommendation

Treat email and attachment text as untrusted data; keep user instructions and system policy authoritative when processing mailbox content.

NoteHigh Confidence

ASI02: Tool Misuse and Exploitation

What this means

If invoked incorrectly, the skill could send emails, mark messages read, change calendar events, complete/delete tasks, or alter out-of-office settings.

Why it was flagged

These are high-impact Exchange operations. They are consistent with the skill's stated purpose, but users should notice that the agent can mutate mailbox/account data.

Skill content

- ✅ **Email**: Read unread, send, search, mark as read
- ✅ **Calendar**: View, create, update, delete, search events
- ✅ **Tasks/To-Do**: Manage, create, complete tasks
- ✅ **Out-of-Office**: Read and set absence messages

Recommendation

Use a least-privilege Exchange account where possible and require explicit user confirmation before sending, deleting, or modifying account data.

ConcernHigh Confidence

ASI03: Identity and Privilege Abuse

What this means

The skill may fail unexpectedly, use the wrong account, or send credentials to an Exchange server the user did not intend to configure.

Why it was flagged

SKILL.md documents EXCHANGE_PASSWORD-style setup, but the code reads PICARD_PASSWORD and uses hardcoded friendly-it account/server defaults. This creates unclear credential scope and could authenticate against an unintended Exchange identity or host if undocumented variables are present.

Skill content

domain = os.getenv('EXCHANGE_DOMAIN', 'friendly-it')
username = os.getenv('PICARD_USERNAME', 'picard')
email = os.getenv('EXCHANGE_EMAIL', 'picard@friendly-it.com')
password = os.getenv('PICARD_PASSWORD')
server = os.getenv('EXCHANGE_SERVER', 'oberau.friendly-it.at')

if not password:
    raise ValueError("EXCHANGE_PASSWORD not found in .env.credentials")

Recommendation

Do not use until the credential handling is corrected: remove real hardcoded defaults, use the documented EXCHANGE_* variables consistently, and declare required credentials/env vars in metadata.