Security audit

Teams Delegate

Security checks across malware telemetry and agentic risk

Overview

This Teams assistant is not plainly malicious, but it needs Review because it can read and send workplace messages, request broad Microsoft Graph access, and store reusable auth tokens locally without enough guardrails.

Install only if you are comfortable letting an agent read and send Teams messages from your Microsoft account. Use the smallest Graph permissions possible, avoid tenant-wide admin consent unless truly needed, keep auto-reply modes time-limited, require human approval for sensitive or VIP messages, and delete or revoke the local token cache when finished.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (4)

Vague Triggers

Medium

Confidence: 89% confidence
Finding: The trigger phrases are broad enough to activate on common requests like checking or handling Teams messages, which can cause the agent to invoke a capability that reads and sends messages on the user's behalf without an explicit confirmation boundary. In this skill's context, that is especially risky because the described actions include autonomous inbox monitoring and replying, so an accidental invocation could expose private communications or send unintended responses.

Missing User Warnings

High

Confidence: 96% confidence
Finding: The skill prominently markets autonomous reading, drafting, and sending of Microsoft Teams messages but does not present an equally prominent warning that it may access sensitive workplace communications and act on the user's behalf. This is dangerous because users may invoke the skill without understanding that it can monitor inboxes, summarize private conversations, and send messages automatically, creating privacy, consent, and impersonation risks.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The document explicitly states that OAuth tokens, including a refresh token, are stored at a predictable local path but provides no warning about secret sensitivity, file permissions, encryption, or safe handling. Because refresh tokens enable long-lived reauthentication, documenting their storage without safeguards increases the chance of credential theft from disk, logs, backups, or shared environments.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The script persists authentication-related state to disk under the user's home directory without setting restrictive file permissions or warning the user that local credential material will be stored. Although MSAL token caching is common, storing refresh/access token cache data in plaintext-accessible files can expose account access to other local users, malware, backups, or accidental disclosure if the directory is broadly readable.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal