Back to skill
Skillv1.0.2
VirusTotal security
Microsoft 365 · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 4:14 AM
- Hash
- 48e25b55647fef1e37c521a7fad067923235cfef5e2169e31fe0d51bac1d21b4
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: microsoft365 Version: 1.0.2 The skill is classified as suspicious primarily due to a potential path traversal vulnerability in the `uploadFile` function within `src/api.js`. The `fileName` parameter, which can be user-controlled, is directly interpolated into the Microsoft Graph API URL path (`/me/drive/root:/${fileName}:/content`). If the Graph API does not sufficiently sanitize or restrict `fileName` (e.g., against `../` sequences), an attacker could potentially upload files to unintended locations within the user's OneDrive. Additionally, the skill requests broad permissions (`Files.ReadWrite.All`, `Mail.Send`, `Calendars.ReadWrite`, `Contacts.ReadWrite`), which, while necessary for its stated functionality, increase the impact if any vulnerability were exploited. There is no evidence of intentional malicious behavior like exfiltration to unauthorized endpoints or prompt injection in `SKILL.md`.
- External report
- View on VirusTotal