agent-teams
Warn
Audited by Gen Agent Trust Hub on Mar 10, 2026
Risk Level: MEDIUMDATA_EXFILTRATIONPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [DATA_EXPOSURE_AND_EXFILTRATION]: The skill accesses sensitive authentication cookies from the Microsoft Teams desktop application storage to authenticate its API requests. * Evidence: references/authentication.md describes locating the Cookies SQLite database on various platforms (macOS, Linux, Windows) to extract the skypetoken_asm token. * Evidence: Credentials, including the plaintext token, are stored in ~/.config/agent-messenger/teams-credentials.json with owner-only permissions.
- [INDIRECT_PROMPT_INJECTION]: The skill retrieves content from external Teams channels, which could include malicious instructions intended to manipulate the agent. * Ingestion points: Data is retrieved through agent-teams snapshot and agent-teams message list commands, as well as the ~/.config/agent-messenger/MEMORY.md file. * Boundary markers: No explicit markers are used to isolate message content from instructions within the agent's prompt. * Capability inventory: The agent has access to Bash for sending messages, uploading files, and modifying team state. * Sanitization: No content validation or filtering is performed on retrieved messages.
- [PRIVILEGE_ESCALATION]: The documentation instructs users to provide the terminal environment with broad disk permissions to facilitate token extraction. * Evidence: references/authentication.md recommends granting "Full Disk Access" to the terminal app on macOS to allow reading Microsoft Teams' internal session files.
Audit Metadata