Is cvsloane/ms365 safe?

Every function call in ms365_cli.py runs 'npx -y @softeria/ms-365-mcp-server', which resolves and downloads the latest published version of the package from npm without version pinning, lockfile, or integrity hash. If the @softeria/ms-365-mcp-server package is compromised via account takeover, malicious update, or typosquat confusion, the attacker silently gains code execution within an authenticated Microsoft 365 session with access to MSAL token cache, email, calendar, files, and contacts.

The skill enables an agent to silently enumerate and read all emails, all contacts, all OneDrive files, all calendar events, and all To Do tasks for the authenticated user. There is no scoping by folder, date range, or sensitivity label. A malicious or prompt-injected agent could use these capabilities to quietly exfiltrate an entire mailbox or file share without user awareness.

The skill allows an agent to send emails on behalf of the authenticated user. If the agent reads an adversarially crafted email containing embedded instructions (a secondary prompt injection), it could be directed to forward sensitive email content, send phishing emails to contacts, or invite external parties to calendar events. The SKILL.md includes a soft guardrail ('confirm recipient and content before sending') but this is easily bypassed by a persuasively framed injection.

The skill does not include a package-lock.json or pin a specific version of @softeria/ms-365-mcp-server. The npm registry 'latest' tag resolution means any malicious update to the upstream package (account compromise, malicious maintainer, or hijacked release) would be silently fetched and executed with access to the current Microsoft 365 authentication context on next skill invocation.

All commands in SKILL.md reference 'python3 /root/clawd/skills/ms365/ms365_cli.py'. This assumes the skill is installed under /root/clawd/ (a root-owned directory), which implies the expected deployment runs as root. This is both a security concern (running skill code as root) and a reliability concern (commands will fail silently in standard user-space deployments).

MSAL device code flow caches refresh tokens locally on the agent host. The skill documentation states 'Authentication is cached after first login' but provides no information about token storage location, file permissions, expiry enforcement, or revocation procedures. Cached tokens could persist indefinitely and be stolen if the host is compromised.

The .clawhub/lock.json bundled in this skill references 'academic-research-hub' v0.1.0 — a completely different skill. This file was almost certainly accidentally copied from another project. While not malicious, it indicates the skill lacked basic quality review before publishing and raises questions about what other sloppiness may be present.

The skill installation performed a sparse git clone from github.com, checked out only the ms365 subpath, copied files to the install destination, and cleaned up the temp clone. No unexpected network destinations, no hidden install scripts, and no filesystem side effects were observed.

Honeypot files were accessed twice during the monitoring period — once at the start (audit baseline setup) and once after install completion (audit canary verification sweep). The simultaneous access of all 6 canary files within 1ms at t=1771957549.264 is a fingerprint of the audit system's own verification script, not a targeted credential enumeration by the skill. All content remains intact.