ClawHub

M365 Calendar (Graph)

Security checks across malware telemetry and agentic risk

Overview

This skill matches its stated Microsoft 365 calendar purpose and discloses its local token storage, with no evidence of hidden exfiltration or destructive behavior.

Install only if you are comfortable granting Microsoft Graph calendar read/write access and storing Microsoft auth material locally. Protect ~/.openclaw/secrets/m365-calendar, avoid --offline unless you want longer-lived refresh capability, use trusted token files with import-raw-token.mjs, and be aware that event and attendee details may appear in terminal or agent logs.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
87% confidence
Finding
This library creates a secrets directory in the user's home folder and reads/writes profile configuration and token cache JSON files there, but it does not apply restrictive file permissions or provide any disclosure about on-disk credential persistence. On multi-user systems, shared environments, backups, or developer workstations with weak default umask settings, access tokens or client secrets stored this way may be exposed to other local processes or users.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The script retrieves calendar event metadata and attendee personally identifiable information, including names, email addresses, response status, and timing, then prints it directly to stdout. In agent or automation contexts, stdout is often captured in logs, transcripts, or downstream tools, which can expose sensitive meeting data beyond the intended user and create a privacy leak.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal