ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Ms365 Tenant Manager

v2.1.1

Microsoft 365 tenant administration for Global Administrators. Automate M365 tenant setup, Office 365 admin tasks, Azure AD user management, Exchange Online...

0· 1.2k·5 current·5 all-time
byAlireza Rezvani@alirezarezvani
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name, description, SKILL.md and included scripts all align: this is a Microsoft 365 tenant administration tool that generates PowerShell for tenant setup, CA policies, licensing, audit and user lifecycle. That capability legitimately requires high-privilege credentials (Global Admin or an appropriately permissioned app). The metadata, however, declares no required environment variables or primary credential — an omission that reduces transparency but does not by itself contradict the purpose.
!
Instruction Scope
SKILL.md and the included PowerShell templates direct the agent/operator to run high-privilege Graph and Exchange cmdlets (Connect-MgGraph with wide scopes, New-MgIdentityConditionalAccessPolicy, Set-MgUserLicense, Revoke tokens, etc.). Those commands are coherent with the stated purpose, but the instructions and troubleshooting docs also show examples that encourage embedding clientId/clientSecret and using ConvertTo-SecureString with plaintext secrets — an insecure practice that could lead to credential exposure. The skill references local files (CSV inputs) and does not call external endpoints beyond Microsoft APIs, so there is no explicit data exfiltration endpoint, but the agent will need tenant credentials to perform most actions.
Install Mechanism
There is no install spec (instruction-only behavior) and the package contains local Python script generators and documentation. Nothing is downloaded or executed from arbitrary remote URLs, and no package managers are invoked. This is lower-risk from an install-perspective, but the included code will generate and run PowerShell that acts on a live tenant.
!
Credentials
The skill performs operations that require Global Administrator or high privilege application permissions (Directory.ReadWrite.All, Policy.ReadWrite.ConditionalAccess, User.ReadWrite.All, ExchangeOnline). That level of access is proportionate to the functionality — but the skill declares zero required environment variables or primary credential, giving no explicit guidance on how to supply credentials safely. Additionally, the docs show insecure examples for application authentication (clientSecret assigned from plaintext), increasing the risk of credential leakage if users follow them.
Persistence & Privilege
The skill is not forced-always (always:false) and uses the default model-invocation behavior (agent may invoke autonomously). Autonomous invocation combined with high-privilege actions increases potential blast radius if the agent is allowed to act without human control. This combination is not flagged as outright malicious by itself, but you should treat autonomous runs with extra caution for admin-capable skills.
Scan Findings in Context
[no-findings] expected: Pre-scan found no injection signatures. That doesn't imply safety: the package contains many admin-level PowerShell templates and Python generators that will run administrative commands when used; absence of regex matches is not proof of benign behavior.
What to consider before installing
This skill contains ready-to-run PowerShell and Python generators that will create and execute high-privilege Microsoft 365 actions. Before installing or using it: (1) only use in a non-production/test tenant first and review every generated script; (2) do not grant Global Admin or broad Graph scopes to untrusted code — prefer a least-privilege app registration with only required permissions or use managed identities/secure vaults; (3) remove or avoid examples that embed client secrets or use plaintext ConvertTo-SecureString -AsPlainText; store secrets in a secure secret manager and use certificate-based app auth where possible; (4) restrict agent/autonomous invocation or require explicit human approval before running scripts that change Conditional Access, license assignments, or revoke sessions; (5) verify there are no hard-coded secrets in the repository and audit logs after any run. If you cannot validate the author/source or cannot safely provide least-privilege credentials, do not enable this skill against production tenants.

Like a lobster shell, security has layers — review code before you run it.

latestvk977dwtafbjnmpqq0b2zxkmvqn82j2c3

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments