Copilot Studio Agent Creator
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This is a coherent Copilot Studio setup guide, but it includes creating autonomous agents that can run actions using the maker’s Microsoft credentials, so users should review the risks before use.
Do not treat this as malicious code: no executable files or install steps were provided. However, before using it, review any Copilot Studio agent you create for least-privilege credentials, restricted knowledge sources, safe connector actions, explicit approval steps, and monitoring for recurring or event-triggered automation.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A configured agent could perform actions when files, tasks, rows, or other events change, potentially affecting business data or workflows unexpectedly.
The skill directs users to configure agents that can act automatically. Combined with tools/connectors, this creates a risk of actions being taken without a human approval step.
Event triggers allow agents to act autonomously in response to external events—without user input.
Use least-privilege connectors, restrict trigger sources and actions, test in a non-production environment, and add confirmation steps for any high-impact action.
Actions may run with the permissions of the person who created the agent, which could expose or modify resources that normal end users should not control.
The guide states that event trigger authentication uses the maker’s credentials, but it does not bound what permissions should be granted or how to prevent over-privileged delegated access.
Authenticate (uses agent maker's credentials)
Use dedicated least-privilege accounts or connections, review connector permissions, and document exactly which resources the agent can access or change.
A malicious or malformed event payload could redirect the created agent into taking unintended actions, especially when combined with autonomous triggers and connectors.
The guide describes event payloads as containing both data and instructions for the agent. If event content is influenced by untrusted users or documents, the agent may treat external content as authoritative instructions.
Trigger sends payload → JSON/message containing event info + instructions
Keep event data separate from agent instructions, validate payloads, avoid letting document or message bodies issue commands, and require human review for sensitive workflows.
The agent may answer from or expose information from connected knowledge sources if permissions, grounding, or publication settings are too broad.
Adding enterprise, SharePoint, Dataverse, website, or document knowledge is expected for this skill, but it means sensitive organizational content may become retrievable by the created agent.
Knowledge Sources | Add enterprise data, websites, SharePoint, Dataverse
Only connect approved data sources, verify source permissions, avoid sensitive documents unless necessary, and test what the published agent can reveal.
A created agent may continue to run on a schedule or in response to events, causing ongoing usage, billing, or workflow effects.
Recurring triggers and published agents are expected Copilot Studio features, but they create persistent automation that can keep running after the initial setup.
Recurrence | Scheduled | Time-based trigger (every X minutes)
Track published agents and triggers, set owners and review dates, monitor billing, and remove or disable automations that are no longer needed.