msgraph-files

SUSPICIOUS. The skill’s stated purpose matches Microsoft Graph file management, but its execution model is riskier than necessary: it uses unpinned npx execution of a not-fully-verified external MCP package and forwards raw Azure application credentials to that package. Data flows are broadly consistent with the purpose, so this is not confirmed malware, but install trust and credential forwarding make it a high security-risk skill.