msteams china adapter

Security checks across malware telemetry and agentic risk

Overview

This skill is meant to fix Microsoft Teams China support, but it can automatically rewrite installed OpenClaw/Teams code, persist host environment changes, and restart the gateway, so it needs review before installation.

Install only on hosts where you intentionally want OpenClaw and @openclaw/msteams patched for Microsoft Teams China. Review the scripts first, back up the installed packages or be ready to reinstall them, avoid heartbeat/cron auto-repair unless you accept unattended code changes and restarts, and verify or remove any HKCU/HKLM or ~/.bashrc CLOUD/SERVICE_URL changes if they are not desired.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Rogue AgentSelf-Modification, Session Persistence
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection

Findings (18)

Context-Inappropriate Capability

Medium

Confidence: 88% confidence
Finding: The script invokes `execSync('npm root -g')`, which executes a shell command during patching. While intended to discover OpenClaw's install path, this introduces unnecessary command-execution capability into a file-editing utility and inherits the risks of PATH hijacking, unexpected shell behavior, or running attacker-controlled `npm` binaries in compromised environments.

Description-Behavior Mismatch

Medium

Confidence: 95% confidence
Finding: The script persistently modifies host environment configuration by writing CLOUD and SERVICE_URL to Windows registry keys or appending exports to ~/.bashrc. Even if intended to enable Teams China support, this exceeds an in-process patch and changes future user/system behavior, which can affect unrelated sessions and complicate rollback.

Context-Inappropriate Capability

Medium

Confidence: 94% confidence
Finding: The patching skill uses broad host-level shell and registry modification capability that is not narrowly constrained to editing the target OpenClaw/Teams files. Writing HKCU/HKLM environment keys and shell startup files increases blast radius beyond the application being repaired and can unintentionally alter all future sessions or services on the machine.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The changelog explicitly documents automatic repair and automatic gateway restart behavior, but provides no warning, confirmation requirement, rollback guidance, or operational safety constraints. In an agent skill context, silent automated restarts and self-directed repair actions can disrupt service availability, terminate active workflows, or apply changes the operator did not intend.

Natural-Language Policy Violations

Medium

Confidence: 84% confidence
Finding: The changelog describes automatic injection of China-specific cloud settings and environment variables without indicating explicit user choice, region validation, or safe scoping. That can force traffic, authentication, and service behavior toward a sovereign cloud environment unexpectedly, causing misrouting, authentication failures, policy violations, or unintended persistence of configuration changes.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The README promotes a one-click patch that rewrites installed dist files and sets system/user environment variables, but it does not clearly warn about the persistence, scope, rollback implications, or integrity risks of modifying vendor code in place. In a security-sensitive integration path involving auth, JWT, SSRF allowlists, and cloud endpoints, undocumented in-place patching can weaken reviewability and make accidental misconfiguration or unsafe changes much harder to detect.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill presents automatic repair, dist patching, environment-variable changes, and Gateway restart as normal workflow behavior without an upfront, prominent warning about modifying installed files and restarting services. This is risky because operators may trigger disruptive or irreversible changes before understanding downtime, rollback, or validation requirements.

Missing User Warnings

High

Confidence: 98% confidence
Finding: The auto-detect and cron guidance enables unattended execution of patching logic and Gateway restarts, but it does not prominently warn that scheduled runs can modify binaries and restart services without human review. This materially increases operational risk because a version change or false trigger could cause repeated service disruption, unexpected file mutation, or persistence of unreviewed changes.

Vague Triggers

Medium

Confidence: 91% confidence
Finding: The trigger list contains broad operational phrases such as '401 Unauthorized', 'Teams not responding', 'OpenClaw upgrade', and 'no reply from Teams bot' that are likely to appear in normal troubleshooting or status conversations. In an auto-fix skill with patching, restart, allowlist, and version-detection capabilities, overly generic triggers can cause unintended activation and execution of sensitive repair actions in the wrong context.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The checklist directs the user to run a one-click patch script that changes application and plugin state, but it does not clearly describe what files, configuration, or runtime behavior will be modified before execution. In a security-sensitive operational skill, encouraging opaque automated patching increases the risk of unintended code changes, persistence of unsafe settings, or execution of a tampered script without informed user consent.

Missing User Warnings

Low

Confidence: 82% confidence
Finding: The checklist instructs operators to restart the Gateway without a clear warning that this will interrupt service and may temporarily break bot availability. While operationally normal, omitting a disruption warning can cause avoidable downtime or impact active sessions in production environments.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The workflow instructs users to make persistent system and user environment changes and later restart a gateway, but it does not clearly foreground the operational and security consequences of modifying HKLM/HKCU or shell startup files. Even if the values are not inherently malicious, documentation that drives privileged, persistent host changes without explicit warnings increases the risk of unsafe execution and accidental system-wide misconfiguration.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The script immediately enumerates and modifies `.js` files under the detected OpenClaw `dist` directory with no dry-run, backup, or confirmation step. In this skill context, that is risky because it patches installed application code in place, potentially affecting a global installation and making accidental corruption or unintended changes harder to detect and recover from.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: From the moment paths are detected, the script proceeds to rewrite dist files and later perform persistent environment changes without any user confirmation, dry-run, backup, or transactional safeguard. This makes accidental or incompatible modifications easy, especially because it targets installed package artifacts directly.

Session Persistence

Medium

Category: Rogue Agent
Content: ```bash # Windows (Powershell 管理员) reg add HKCU\Environment /v CLOUD /t REG_SZ /d china /f reg add HKCU\Environment /v SERVICE_URL /t REG_SZ /d "https://smba.trafficmanager.cn/teams" /f reg add HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment /v CLOUD /t REG_SZ /d china /f reg add HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment /v SERVICE_URL /t REG_SZ /d "https://smba.trafficmanager.cn/teams" /f
Confidence: 91% confidence
Finding: reg add

Session Persistence

Medium

Category: Rogue Agent
Content: ```bash # Windows (Powershell 管理员) reg add HKCU\Environment /v CLOUD /t REG_SZ /d china /f reg add HKCU\Environment /v SERVICE_URL /t REG_SZ /d "https://smba.trafficmanager.cn/teams" /f reg add HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment /v CLOUD /t REG_SZ /d china /f reg add HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment /v SERVICE_URL /t REG_SZ /d "https://smba.trafficmanager.cn/teams" /f
Confidence: 91% confidence
Finding: reg add

Session Persistence

Medium

Category: Rogue Agent
Content: # Windows (Powershell 管理员) reg add HKCU\Environment /v CLOUD /t REG_SZ /d china /f reg add HKCU\Environment /v SERVICE_URL /t REG_SZ /d "https://smba.trafficmanager.cn/teams" /f reg add HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment /v CLOUD /t REG_SZ /d china /f reg add HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment /v SERVICE_URL /t REG_SZ /d "https://smba.trafficmanager.cn/teams" /f # Linux/macOS
Confidence: 95% confidence
Finding: reg add

Session Persistence

Medium

Category: Rogue Agent
Content: reg add HKCU\Environment /v CLOUD /t REG_SZ /d china /f reg add HKCU\Environment /v SERVICE_URL /t REG_SZ /d "https://smba.trafficmanager.cn/teams" /f reg add HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment /v CLOUD /t REG_SZ /d china /f reg add HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment /v SERVICE_URL /t REG_SZ /d "https://smba.trafficmanager.cn/teams" /f # Linux/macOS echo "export CLOUD=china" >> ~/.bashrc
Confidence: 95% confidence
Finding: reg add

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal