Back to skill

Security audit

Office 365 Connector

Security checks across malware telemetry and agentic risk

Overview

This looks like a legitimate Office 365 connector, but it grants broad Microsoft account access and includes risky token and credential handling that users should review carefully.

Install only if you need broad Microsoft 365 automation. Use the smallest Azure permission set that supports your use case, avoid running the token-printing command, protect ~/.openclaw/auth like a password store, do not configure secrets in shared terminals, and revoke the Microsoft app consent when you stop using it.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (9)

Lp3

Medium
Category
MCP Least Privilege
Confidence
82% confidence
Finding
The skill documentation describes use of environment variables for Azure tenant, client ID, and client secret, but the metadata does not declare the corresponding permission/capability needs. This creates a transparency and review gap: operators may install or trust the skill without realizing it depends on sensitive environment-based secrets, which weakens informed consent and policy enforcement.

Tp4

High
Category
MCP Tool Poisoning
Confidence
88% confidence
Finding
The documented capabilities claim broader functionality than the implementation apparently provides, including contacts read/write and full calendar write operations. This mismatch can mislead users into granting broad Microsoft Graph permissions that exceed the actual feature set, increasing unnecessary access to sensitive mail, calendar, and contact data.

Missing User Warnings

Medium
Confidence
74% confidence
Finding
The skill advertises destructive operations such as deleting messages, deleting contacts/events, cancelling events, and removing accounts without prominent warnings about irreversible data loss. In a connector handling live Microsoft 365 data, unclear safety guidance raises the risk of accidental destructive actions by users or downstream automation.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The documentation instructs users to configure and store Azure client secrets and token files, but it does not strongly emphasize operational safeguards for protecting those credentials during setup and use. If secrets or token files are exposed through shell history, shared configs, backups, or weak filesystem hygiene, an attacker could gain persistent access to the user's Microsoft 365 data.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The CLI `token` command prints the current OAuth access token directly to stdout. In practice, stdout is often captured by shell history, logs, wrappers, CI systems, terminal scrollback, or other local processes, so this creates an unnecessary credential exposure path for a bearer token that can be used to access Microsoft Graph resources.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The script prints email subjects, sender names, timestamps, and body previews directly to stdout, which can expose sensitive communications and personal data to terminal logs, calling processes, shell history capture tools, or other users on shared systems. In an Office 365 connector, this is more dangerous because the data originates from real mailbox content and may include confidential business or personal information.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The guide instructs users to grant broad delegated Microsoft Graph scopes covering mailbox, calendar, contacts, and offline refresh, but it does not clearly state that this gives the app ongoing access to highly sensitive personal and organizational data. In a setup guide for an agent skill, omission of a prominent scope-risk warning can lead users to over-consent without understanding the exposure.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The guide notes that tokens are stored on disk and refreshed automatically, but it does not prominently warn that those stored tokens may continue to grant account access until revoked or expired. For an Office 365 connector handling email, calendar, and contacts, unclear disclosure of persistent authentication materially increases the risk of unintended long-lived access if the host is compromised.

Excessive Permissions

Low
Category
Privilege Escalation
Content
2. You'll see `User.Read` already granted by default
3. Click **+ Add a permission**

**Add each of the following permissions:**

### For Email Support:
1. Click **Microsoft Graph** → **Delegated permissions**
Confidence
87% confidence
Finding
permissions:*

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.