ClawHub

Msteams

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real Microsoft Teams channel plugin, but it handles credentials, files, feedback, and Teams data in ways that deserve review before installation.

Install only if you are comfortable granting a community Teams plugin Microsoft app credentials and possible delegated user tokens. Review its Teams/Graph permissions, keep allowlists strict, disable feedbackReflection if background feedback processing is not desired, avoid display-name based trust, and verify where local token/config/session files are stored and protected before using it with confidential chats or files.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (15)

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The test encodes insecure authorization behavior: despite the description saying display-name allowlists are ignored, it expects approval authorization to succeed when only a display name is configured in allowFrom. In an approval/execution path, trusting mutable, non-unique display names can let an attacker impersonate an approver and gain unauthorized approval for sensitive actions.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
This code takes negatively rated response content and optional user comments, builds a reflection prompt, and sends that material back through the agent reply pipeline in the background without any explicit notice or consent mechanism in this file. That creates a privacy and data-handling risk because sensitive user feedback may be reused for secondary processing and may trigger additional model or integration behavior outside the user's expectation.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
When per-user sharing is requested, a failure to enumerate chat members silently downgrades the sharing scope to organization-wide access. That can expose files to a much broader audience than the caller intended, creating an authorization and confidentiality gap even though the upload itself succeeds.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The handler logs `rawText` and `text` previews from inbound Teams messages, which can contain sensitive user content, credentials, personal data, or confidential business information. Even though the content is truncated to 50 characters, that is often enough to expose secrets, and log stores typically have broader retention and access than the original chat channel.

Missing User Warnings

Medium
Confidence
81% confidence
Finding
The setup flow stores delegated OAuth tokens via saveDelegatedTokens(tokens) after interactive login, but the user-visible prompts shown in this file only mention enabling delegated auth and do not clearly disclose that tokens will be persisted locally. Persisting long-lived delegated tokens without explicit disclosure or consent increases the risk of surprise credential exposure on shared or improperly secured hosts, especially in a remote/agent setup context.

Missing User Warnings

Medium
Confidence
85% confidence
Finding
The code can send a proactive follow-up message after a thumbs-down event based on model-generated reflection output, but there is no visible notice here that submitting negative feedback may trigger an automatic outbound message. That creates a transparency and consent problem and can surprise users, especially because the action is performed asynchronously in the background after the original interaction has ended.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The function persists `parsedReflection.learning` derived from the user's feedback comment and prior response into session storage without any visible disclosure, retention control, or minimization in this file. This can result in unexpected storage of potentially sensitive user-provided feedback and inferred data, creating privacy and compliance risk if users did not expect their comments to be retained for future session learning.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
When per-user sharing is requested, failure to retrieve chat members silently downgrades the file to an organization-wide sharing link. That can expose files to a much broader audience than intended, creating an authorization/privacy failure rather than a harmless availability fallback. In this Teams/SharePoint context, the fallback is particularly risky because the function name and parameters imply restricted sharing, yet the code can broaden access without any caller or user notification.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
This code automatically uploads local non-image media to SharePoint or OneDrive when a token provider is present, without any explicit user consent, notice, or policy gate in this file. If an upstream component can influence media paths, sensitive local files may be exfiltrated to Microsoft cloud storage and shared into chats, creating a confidentiality and compliance risk.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The handler logs inbound message previews, attachment metadata, sender identifiers, and conversation identifiers directly from untrusted user input. This creates a real privacy and data-exposure risk because chat content may contain secrets, personal data, or regulated information, and logging it broadens access beyond the intended conversation context and increases retention/exfiltration risk if logs are centralized or compromised.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The manual OAuth flow asks the user to paste the full redirect URL, which typically contains a one-time authorization code and state value. In agent or skill environments, pasted content may be logged, retained in transcripts, or exposed to other tooling, creating a realistic risk of credential capture or replay before exchange.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
When delegated auth is enabled, the probe returns identity-related data from locally stored delegated tokens, including scopes and userPrincipalName, without any minimization, masking, or clear access-control boundary in this function. Probe/status-style APIs are often surfaced to logs, diagnostics UIs, or downstream callers, so exposing a real user's principal name and granted scopes can leak sensitive identity context and aid reconnaissance.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The wizard collects an app password interactively and then writes appId, appPassword, and tenantId directly into cfg.channels["msteams-cn"]. Without an explicit warning that these secrets will be persisted in configuration, users may unknowingly store credentials in a plaintext or broadly accessible config file, increasing the risk of credential disclosure through source control, backups, logs, or local file access.

Missing User Warnings

Medium
Confidence
82% confidence
Finding
When delegated OAuth is enabled, the code persists delegated tokens via saveDelegatedTokens(tokens) after only asking whether to enable delegated auth, without an explicit notice that sensitive access tokens/refresh tokens will be stored locally. This can lead users to unknowingly leave reusable credentials on disk, increasing the risk of token theft from local compromise, backups, logs, or shared environments.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
This code persists delegated OAuth SSO access tokens to a local JSON file on disk in plaintext, which creates a credential-at-rest exposure if the host, user profile, backups, logs, or shared filesystem are accessed by another user or process. In this context the token can likely be used to call downstream services such as Microsoft Graph on behalf of the user until expiry, so filesystem disclosure becomes account and data access exposure rather than mere metadata leakage.

VirusTotal

61/61 vendors flagged this plugin as clean.

View on VirusTotal