Is makhatib/mcp-microsoft365 safe?

https://github.com/openclaw/skills/tree/main/skills/makhatib/mcp-microsoft365

78
CAUTION

The mcp-microsoft365 skill is technically clean with no prompt injection, malicious code, suspicious install behavior, or active data exfiltration detected during the audit. However, the skill requests extraordinary application-level Microsoft Graph permissions granting org-wide read/write access to all employees' email, files, Teams messages, and calendar — privileges that are inherently dangerous to grant any AI agent component. The primary risk is that if the hosting agent is compromised via prompt injection from external content it processes (email bodies, file content, Teams messages), this skill provides a complete toolkit for corporate data exfiltration and social engineering using legitimate Microsoft Graph API calls.

Category Scores

Prompt Injection 95/100 · 30%
Data Exfiltration 45/100 · 25%
Code Execution 88/100 · 20%
Clone Behavior 92/100 · 10%
Canary Integrity 95/100 · 10%
Behavioral Reasoning 32/100 · 5%

Findings (9)

CRITICAL Application-Level Graph Permissions Grant Org-Wide Data Access to All Users -35

The skill requires Microsoft Graph application permissions (not delegated user permissions), which require admin consent and apply organization-wide to ALL users without individual user consent. Permissions include Files.ReadWrite.All (read/write every employee's OneDrive), Mail.ReadWrite and Mail.Send (read and send email as any user), Chat.ReadWrite.All (read/send all Teams conversations), Calendars.ReadWrite, Tasks.ReadWrite.All, and User.Read.All. This is an extraordinary privilege grant for an AI agent component. The skill's all-19 tools accept a 'user' parameter allowing any org member to be targeted.

HIGH Skill Creates High-Value Pivot Point for Prompt Injection Attacks Against the Org -45

The 19 tools exposed by this skill constitute a complete organizational data exfiltration and manipulation toolkit. If the hosting agent processes any external content containing a prompt injection payload — including email body text read via m365_mail_read, OneDrive file content returned by m365_files_read, or Teams messages from m365_teams_messages — an attacker gains indirect control of a tool that can: read any employee's email and files, send email as any user (ideal for spear phishing or BEC), enumerate the org directory, access confidential Teams conversations, and create calendar events or tasks. The legitimate use of these tools is indistinguishable from malicious use by a compromised agent at the API level.

HIGH OData Filter Injection in m365_mail_list -12

The filter parameter in m365_mail_list is URL-encoded and directly concatenated into the Microsoft Graph API query string. While URL encoding mitigates some injection vectors, OData filter expressions are complex and Microsoft Graph's server-side validation may not prevent all injection scenarios. An attacker could craft filter expressions that access unintended message fields, bypass expected filtering logic, or cause unexpected data to be returned.

HIGH Path Parameter Injection in m365_files_list -8

The path parameter in m365_files_list is directly interpolated into the Microsoft Graph API endpoint using string concatenation without any sanitization, normalization, or validation. A crafted path value could potentially access files at unintended OneDrive locations, traverse to parent directories, or reference shared folders not intended by the operator.

MEDIUM Cross-User Targeting Enabled by 'user' Parameter Across All Tools -23

Every one of the 19 tools accepts an optional 'user' parameter that selects which organization member's data to access, defaulting to the configured DEFAULT_USER. Combined with application-level permissions (which require no per-user consent), this allows any organization member to be targeted simply by supplying their email address. A compromised agent could systematically access the data of executives, administrators, or other high-value targets.

MEDIUM Azure AD Client Secret Stored as Plain Environment Variable -12

The Azure AD client secret (which grants org-wide M365 access) is read from a plain environment variable and stored as a plain string in memory. If the agent process is compromised, memory is dumped, or environment variables are logged or exposed, the client secret would provide full organizational Microsoft 365 access to an attacker until rotated. No secrets management, HSM integration, or credential rotation mechanism is provided.

LOW SKILL.md Transparently Discloses High-Privilege Setup Requirements -5

The SKILL.md documentation clearly and accurately describes all required permissions and setup steps including admin consent. This transparency is a positive signal (no hidden capabilities), though the detailed Azure AD app registration instructions could serve as a copy-paste guide for a malicious actor seeking to create a similarly-privileged application. No prompt manipulation or injection is present.

INFO Clean Installation via Git Sparse-Checkout with Expected Network Behavior 0

The skill installed via standard git sparse-checkout from the openclaw/skills monorepo. Network traffic was limited to GitHub (140.82.121.4:443) for git clone and Ubuntu package servers for monitoring system activity. No npm install was executed during the audit, no unexpected processes were spawned, and no new network listeners were created. The filesystem diff shows only the six expected skill files were added.

INFO Canary File Accesses Confirmed as Monitoring Framework Operations 0

Honeypot files were accessed at two timestamps: 1771919093.674 (before git clone at 1771919099) and 1771919117.513 (post-install verification). Both access clusters show all six canary files accessed within less than 1 millisecond in sequential order — a pattern characteristic of automated monitoring framework sweeps, not organic skill behavior. No skill code (node/npm) was executed during the audit, making skill-originated access impossible. All canary file content remains unmodified.