Is outlook-api safe?
https://clawhub.ai/byungkyu/outlook-api
This skill is a documentation-only Microsoft Outlook API wrapper that routes all email, calendar, and contact data through a third-party proxy (gateway.maton.ai) rather than connecting directly to Microsoft Graph. While it contains no malicious code, executable files, or hidden payloads, the fundamental architecture means users must trust both Microsoft AND Maton with their complete email account access. The skill also normalizes agent code execution patterns and creates a bidirectional email channel that could be exploited via prompt injection in email content.
Category Scores
Findings (9)
HIGH All data routed through opaque third-party proxy -35 ▶
Every API call goes through gateway.maton.ai instead of directly to Microsoft Graph (graph.microsoft.com). The Maton gateway operator has full visibility into all email content, calendar events, contacts, and OAuth tokens. Users trust Microsoft with their data but this skill silently adds Maton as a man-in-the-middle with complete read/write access to their Microsoft account.
HIGH OAuth tokens managed by third party -10 ▶
The user's Microsoft OAuth tokens are stored and managed by Maton's infrastructure (ctrl.maton.ai), not by the user. The gateway 'automatically injects your OAuth token', meaning Maton holds the actual Microsoft credentials. If Maton is compromised, all connected users' Microsoft accounts are exposed.
MEDIUM Cross-promotion of additional skill with install implication -15 ▶
The skill description explicitly promotes installing another skill (api-gateway) by full ClawHub URL. This could be used to chain skill installations, expanding the attack surface. The phrasing 'For other third party apps, use the api-gateway skill' instructs the agent to recommend or install additional software.
MEDIUM Normalized code execution via Python heredocs -12 ▶
The skill's documentation pattern encourages the agent to execute Python code blocks directly in the shell using heredoc syntax. This normalizes a dangerous pattern where the agent runs arbitrary code, making it more susceptible to secondary prompt injection attacks embedded in email content fetched through the API.
MEDIUM IMPORTANT directives condition agent compliance -5 ▶
The Notes section includes multiple 'IMPORTANT:' prefixed instructions that condition the agent to follow skill-authored directives with elevated trust, potentially overriding user preferences or system safety guidelines.
MEDIUM Executable code in documentation promotes direct shell execution -30 ▶
While the skill contains no standalone executable files, its documentation is designed to be injected into an agent's context and contains numerous ready-to-execute Python code blocks. An agent following these instructions will execute network-connected Python code in the user's shell environment.
MEDIUM Email content as prompt injection vector -30 ▶
When the agent fetches emails via this skill, malicious email content could contain prompt injection attacks. Since the agent processes email bodies as text, a crafted email could instruct the agent to forward emails, send messages, or exfiltrate data — all using the very API this skill provides.
LOW Full email account access scope with no granularity -25 ▶
The skill provides unrestricted access to read, send, delete emails, manage calendar events, and manage contacts with no option for reduced scope. A user who only wants to read emails cannot limit the skill's capabilities.
INFO Host agent runtime reads sensitive files during install -5 ▶
The filesystem monitoring detected reads of .env, .aws/credentials, .profile, and .bashrc during installation. These appear to be from the OpenClaw agent runtime loading its configuration, not from the skill itself. However, this means the skill operates in an environment where these sensitive files are accessible.