ClawHub

Outlook Email

Security checks across malware telemetry and agentic risk

Overview

This is a transparent Outlook email automation skill with powerful but clearly disclosed mailbox permissions.

Install only with a Microsoft Graph runtime you trust. Start with read-only Mail.Read plus offline_access when possible, grant Mail.Send or MailboxSettings.ReadWrite only for workflows that need them, require draft review before sending, and avoid autonomous write actions unless the runtime enforces allowlists and rule-action blocks. Do not use the calendar reference to create events without separate calendar consent and timezone confirmation.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (4)

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The reference expands the skill from email management into calendar scheduling, which materially broadens the action surface beyond the declared purpose. That mismatch can cause an agent or integrator to invoke event-creation capabilities users did not reasonably expect when enabling an email-focused skill.

Context-Inappropriate Capability

Medium
Confidence
87% confidence
Finding
Documenting event creation in an email-management skill normalizes a privileged side effect unrelated to the stated task boundary. In practice, this can lead to unauthorized or surprising calendar modifications if an agent follows the reference as authoritative capability guidance.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The trigger phrases are broad enough that an agent platform could invoke this skill during ordinary conversation about email, even when the user did not intend to grant mailbox access or perform mailbox actions. In this skill’s context, unintended invocation is more dangerous because the documented workflows include high-impact operations such as reading mail, creating rules, moving messages, and potentially sending mail if the runtime has the necessary scopes.

Natural-Language Policy Violations

Medium
Confidence
93% confidence
Finding
Hard-coding a default timezone without user opt-in can cause meetings to be scheduled at the wrong local time, especially for users outside that region or traveling. For scheduling workflows, this is a safety and integrity issue because incorrect time assumptions directly alter user-facing actions.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal