ClawHub

Openclaw Msteams 2026.5.26.Tgz

Security checks across malware telemetry and agentic risk

Overview

This is an official Microsoft Teams channel plugin whose sensitive Teams actions and token storage are consistent with its purpose, but administrators should configure its permissions carefully.

Install only in a Teams tenant where you intend OpenClaw agents to act in Microsoft Teams. Configure Microsoft Graph permissions and OpenClaw tool allow/deny policies narrowly, especially for delete, participant removal, rename, search, and history access. Treat the local OpenClaw state directory as sensitive because it may contain Teams tokens, conversation metadata, poll data, and feedback comments.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (7)

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The skill exposes a wide set of Microsoft Teams capabilities including message history access, search, channel/member inspection, participant management, pinning, deletion, and group renaming. In this file, these capabilities are surfaced to the agent without any purpose-based restriction, per-action approval gate, or least-privilege narrowing, which increases the chance of overbroad access and misuse if the agent is prompted or compromised.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The runtime exposes a wide set of Microsoft Teams capabilities beyond basic messaging, including directory lookup, member management, group renaming, message retrieval/search, reactions, and pin management. In a skill with no declared purpose or scope restrictions, this materially expands the attack surface and enables misuse if an upstream agent, prompt injection, or unauthorized caller can invoke these operations.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The delete action directly invokes message deletion when given a target and messageId, with no confirmation, warning, or secondary approval in this code path. Because this plugin exposes a message tool to an agent, accidental prompts, prompt injection, or operator mistakes could trigger irreversible deletion of Teams content.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The removeParticipant action removes a user from a conversation based only on provided target and userId, without any user-facing confirmation or additional authorization checks in this layer. This is an administrative action that can disrupt communications, lock users out of collaboration, and be abused by malicious prompts or mistaken operator input.

Missing User Warnings

Low
Confidence
82% confidence
Finding
The renameGroup action changes a group name immediately when supplied a target and name, with no confirmation or additional review. While less destructive than deletion or participant removal, it can still cause confusion, social engineering opportunities, and operational disruption if triggered accidentally or maliciously.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The code persists delegated Bot Framework OAuth SSO tokens to a local JSON file in plaintext, creating a durable secret store on disk. If the host, container filesystem, backups, or logs are exposed, an attacker could recover user tokens and use them to access downstream Microsoft resources with that user's delegated privileges.

Missing User Warnings

Low
Confidence
70% confidence
Finding
The handler appends negative-feedback comments, message IDs, session keys, agent IDs, and conversation IDs to session files without any visible notice or minimization. While this is primarily a privacy/data-governance issue rather than remote code execution, it creates unnecessary retention of potentially sensitive user text and metadata that could be exposed through local file compromise or overly broad operator access.

VirusTotal

46/46 vendors flagged this plugin as clean.

View on VirusTotal