ClawHub

Onedrive

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real OneDrive/SharePoint management skill, but it needs Review because it grants broad persistent cloud-file access and one bootstrap path makes unrelated host-level changes.

Install only if you are comfortable granting this skill broad Microsoft Graph access to OneDrive and SharePoint content. Prefer a dedicated Microsoft app registration, narrower scopes where possible, an isolated runtime, and careful review before any delete, move, upload, share, invite, revoke, or non-default-drive operation. Avoid the bootstrap script unless you accept or remove its openclaw process stop, /root permission change, and bashrc edit. Treat ~/.onedrive-mcp/config.json and credentials.json as sensitive secrets and know how to revoke the app and refresh tokens.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (15)

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The script performs actions unrelated to OneDrive provisioning: it kills an unrelated process, changes /root directory permissions to 711, and modifies ~/.bashrc. Those side effects expand the blast radius of installation, can expose root directory metadata to non-root users, and create persistence or environment changes not necessary for the stated function.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The fallback scope set includes Files.ReadWrite.All and Sites.ReadWrite.All, which grant broad write access across OneDrive and SharePoint content far beyond minimal read or user-scoped access. If these defaults are used accidentally, the installed skill could modify or exfiltrate large amounts of organizational data.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The default scope set includes Sites.ReadWrite.All in addition to Files.ReadWrite.All, which grants broad read/write access across SharePoint sites, not just the user's OneDrive. That exceeds the stated OneDrive-focused purpose and significantly increases blast radius if the app, secret, or tokens are compromised.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill exposes delete, move, copy, upload, and sharing operations, including anonymous links and write invites, but does not present an explicit warning or confirmation requirement about data loss, oversharing, or privacy exposure. In an agent setting, this raises the risk of accidental destructive actions or public disclosure of user files.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The document explicitly recommends broad delegated scopes (`Files.ReadWrite.All`, `Sites.ReadWrite.All`) plus `offline_access` as the skill's default, which grants persistent read/write access to all files and SharePoint content the signed-in user can access. In a OneDrive/SharePoint skill this may be functional, but presenting these as the default without a prominent warning or least-privilege-first guidance increases the risk of over-privileged deployments and long-lived access if tokens are compromised.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The guide instructs users to pipe OAuth token responses to both the terminal and a local credentials file, which exposes access_token and refresh_token material in shell history, terminal scrollback, recordings, or shared sessions. Although this is a setup document rather than executable code, these tokens grant persistent access to OneDrive data and should be treated as secrets.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The instructions tell users to generate a long-lived client secret and store it locally, but do not clearly warn that this secret enables OAuth token exchange and must be protected like a password. In practice, users may copy it into plaintext files or insecure environments, increasing risk of credential theft and downstream access to Microsoft Graph resources.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The script writes the OAuth client secret, access token, and refresh token to disk in plaintext JSON files. Even with chmod 600, plaintext long-lived credentials on disk materially increase the risk of token theft from backups, logs, later compromise of the account, or accidental disclosure.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
Changing /root to mode 711 makes the root home directory traversable by other users, exposing directory structure and enabling access to world-executable or discoverable paths under /root. This weakens a core filesystem boundary for no clear OneDrive-related reason.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The download command writes remote content directly to a local path, defaulting to the remote file name, without checking whether the destination already exists. This can silently overwrite local files in the current working directory, causing data loss or unintended file placement when invoked with untrusted filenames.

Missing User Warnings

High
Confidence
95% confidence
Finding
The delete command performs a remote DELETE immediately with no confirmation, dry-run mode, or guardrails. In an agent context, a mistaken or manipulated parameter can trigger destructive actions against user cloud storage, making this significantly riskier than a normal interactive CLI.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The script persists the client secret and OAuth configuration to local disk without prominently warning the user that long-lived credentials are being stored. Even with restrictive file permissions, local credential storage creates a durable target for malware, backups, shell access, or accidental disclosure.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The revoke command performs an irreversible permission deletion immediately with no confirmation, preview, or safety check. In an agent or automation context, a mistaken target or permission ID can silently remove access from users or break workflows, making the destructive action more dangerous than in a purely manual CLI.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
`cmd_get` prints the raw OAuth access token directly to stdout, which can easily leak into terminal scrollback, shell history via command substitution, logs, CI output, or other tooling. Because bearer tokens grant access without additional proof of possession, disclosure can immediately enable unauthorized API access until the token expires.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The `set` command accepts access and refresh tokens and writes them to disk without any warning, confirmation, or mention that highly sensitive credentials are being persisted. This increases the chance that users supply production tokens casually and leave long-lived credentials stored locally where they may be exposed through backups, misconfiguration, or later compromise of the host.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal