Power Platform Custom Connector
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This instruction-only skill appears purpose-aligned for building Power Platform connectors, but it legitimately involves credentials, generated custom code, external validation scripts, and publishing workflows that users should review.
This skill is reasonable to use for Power Platform connector development. Before using it with real projects, review generated apiDefinition.swagger.json, apiProperties.json, readme.md, and script.csx files; keep real secrets out of committed files and chat when possible; run external validator scripts only after verifying the source; ensure SAS URLs expire; and include webhook cleanup logic for trigger connectors.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
64/64 vendors flagged this skill as clean.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If secrets or SAS URLs are shared in the wrong place, someone else could access connector packages or OAuth app credentials.
The certification workflow can involve OAuth client secrets and package-access URLs. This is expected for verified connector submission, but it is sensitive account authority.
- Provide the SAS URL, Client ID, and Client Secret (for OAuth connectors)
Use placeholders in generated files, do not paste real secrets into chat unless necessary, and submit real client secrets only through official Microsoft portals or secure credential fields.
Running external scripts can modify files or run commands in the local environment if the script source is compromised or not what the user expected.
The workflow instructs users to download and run a validator script from a GitHub branch. It is from the expected Microsoft connector repository and is user-directed, but it is still external script execution.
# Download and run the ConnectorPackageValidator ... https://github.com/microsoft/PowerPlatformConnectors/blob/dev/scripts/ConnectorPackageValidator.ps1 ... .\ConnectorPackageValidator.ps1 -PackagePath .\package.zip
Download validator scripts only from the official Microsoft repository, inspect them before running, and prefer a pinned or reviewed version when possible.
Generated connector code can affect what data is sent to backend APIs and how responses are transformed.
The skill may help generate C# custom connector code that executes in the Power Platform connector runtime and can send or transform HTTP requests. This is a core disclosed capability.
| External data fetching during request | **Custom code** | ... return await this.Context.SendAsync(this.Context.Request, this.CancellationToken)
Review any generated script.csx before deployment, keep it limited to the intended API behavior, and avoid adding unrelated network calls or secret logging.
A poorly designed webhook connector could continue sending events after a flow is changed or removed.
Webhook trigger connectors can create persistent external subscriptions. The documentation recognizes the persistence risk and gives cleanup guidance.
Webhooks are never cleaned up when flows are deleted or modified, leading to orphaned webhooks on the external service. Fix: Define a DELETE operation for the webhook path.
Include and test webhook deletion/cleanup operations so external webhooks are removed when flows are deleted or updated.