Is abhinavjp/ms-outlook-teams-assistant safe?

https://github.com/openclaw/skills/tree/main/skills/abhinavjp/ms-outlook-teams-assistant

84
SAFE

This is a legitimate Windows productivity skill for Outlook Desktop email tracking and optional Teams message monitoring. It contains no prompt injection, malicious code, or exfiltration attempts, but its core functionality requires broad access to email/chat content which is cached as plaintext JSON and includes OAuth token persistence. The primary risk is that cached sensitive data (email content, message previews, MSAL tokens) could be accessed by companion skills in a multi-skill environment.

Category Scores

Prompt Injection 90/100 · 30%
Data Exfiltration 72/100 · 25%
Code Execution 78/100 · 20%
Clone Behavior 95/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 68/100 · 5%

Findings (8)

MEDIUM Plaintext email/chat content cached in state directory -15

Scan results including email subjects, body previews, senders, and Teams message content are written as plaintext JSON to state/latest_outlook.json and state/latest_teams.json. These files persist between runs and could be accessed by other skills or processes.

MEDIUM MSAL OAuth token cached in plaintext -8

The Teams scanner caches the Microsoft Graph OAuth token to state/teams_token_cache.bin using MSAL's SerializableTokenCache. While this is standard MSAL practice, the token grants delegated access to the user's Teams messages and could be stolen by a companion skill.

LOW Email summaries intended for external delivery via Telegram -5

The remind.py script generates reminder messages containing email subjects, sender names, timestamps, and Teams message previews. SKILL.md instructs the agent to send this output to Telegram if non-empty, which transmits email metadata to an external messaging service.

MEDIUM Subprocess spawning in scan_all.py -10

scan_all.py uses subprocess.run() to execute scan_outlook.py and teams_scan.py as child processes. While the command arguments are hardcoded script paths with integer-cast config values (preventing injection), subprocess spawning increases the attack surface if scripts are later modified.

LOW Six executable Python scripts included -12

The skill ships six Python scripts (scan_outlook.py, teams_scan.py, scan_all.py, remind.py, dismiss.py, draft_reply.py, state.py) that the agent is expected to execute. All scripts appear to perform their stated functions without malicious logic.

LOW Skill directs agent to send messages to external service -10

SKILL.md instructs the agent to send reminder output to Telegram, granting implicit authority for external message delivery. This is the stated purpose of the skill but grants the skill influence over the agent's external communication actions.

INFO Multi-skill environment risk — cached data accessible to other skills -15

The plaintext JSON caches and MSAL token in the state/ directory could be read by other installed skills. In a multi-skill environment, a malicious companion skill could harvest email content or reuse the OAuth token without user awareness.

INFO Clean installation with no anomalous behavior -5

Installation consisted of a standard git clone with no post-install scripts, no unexpected network connections, and no filesystem modifications outside the expected directories.