v0.1.2

M365 Spam Manager

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 5:51 AM.

Analysis

This skill is mostly purpose-aligned, but it reuses Microsoft 365 token caches and can modify mailboxes without the confirmations promised in its instructions.

GuidanceReview this skill before installing. It appears intended for Microsoft 365 spam management, but treat it as having real mailbox write authority. Do not rely on the documented confirmation claims unless the scripts are fixed; run analysis-only or dry-run modes first, use a least-privileged M365 profile, and avoid shared-mailbox access unless you explicitly need it.

Findings (4)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation

SeverityMediumConfidenceHighStatusConcern

scripts/check-spam.mjs

const dryRun = getArg('dryRun', 'false') === 'true'; ... method: 'PATCH' ... body: JSON.stringify({ categories: newCats })

The script defaults to making live Graph PATCH updates rather than dry-run mode, labeling messages as Spam or OK based on a heuristic threshold without a confirmation step.

User impactIf run or invoked by the agent, it can automatically change mailbox message categories and create Outlook categories in a Microsoft 365 mailbox.

RecommendationMake dry-run or confirmation the default for mailbox mutations, document this script clearly, and require an explicit flag such as --yes before applying labels.

Human-Agent Trust Exploitation

SeverityMediumConfidenceHighStatusConcern

SKILL.md

Review mode (default) — user must approve each action ... Move a false positive to inbox (requires confirmation) ... the script always prompts for confirmation before moving emails.

The documentation promises confirmation for move actions, but the included move scripts directly call Microsoft Graph move endpoints without implementing a prompt.

User impactA user may trust that they will get a final approval prompt, while a message move can occur immediately once the script is invoked with an ID.

RecommendationEither add actual confirmation prompts to the move scripts or update the documentation so it accurately states that an explicit command invocation is the only approval step.

Agentic Supply Chain Vulnerabilities

SeverityLowConfidenceHighStatusNote

SKILL.md

node skills/m365-spam-manager/scripts/auto-clean.mjs --profile tom-business-mail --mailbox radman@e-ola.com --threshold 80

The automatic cleanup instructions reference auto-clean.mjs, but that file is not included in the provided manifest; this is a coherence/provenance gap rather than proof of hidden behavior.

User impactAutomatic-mode instructions may fail, or a user might later obtain and run an unreviewed helper script to get that functionality.

RecommendationOnly run helper scripts that are included in the reviewed package, and update the manifest or documentation so referenced automatic cleanup code is present and reviewable.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse

SeverityMediumConfidenceHighStatusConcern

scripts/_graph.mjs

const cacheText = fs.readFileSync(cachePath, 'utf8'); ... if (raw && typeof raw === 'object' && raw.access_token) return raw.access_token;

The skill reads an existing Microsoft 365 token cache and reuses its access token for Graph calls, while the registry metadata declares no primary credential or required config paths.

User impactInstalling and using the skill gives it access through an existing Microsoft 365 profile, including Mail.ReadWrite operations where the account has permission.

RecommendationUse a least-privileged Microsoft 365 profile, ensure the registry declares the credential/config dependency and Graph scopes, and avoid using broad shared-mailbox access unless needed.