TeamsMigration
Fail
Audited by Gen Agent Trust Hub on Mar 3, 2026
Risk Level: HIGHCREDENTIALS_UNSAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [CREDENTIALS_UNSAFE]: The skill and its included Node.js script (
Tools/MigrateChat.mjs) explicitly read sensitive authentication data from the user's home directory. Specifically, it accesses~/.msgraph-mcp-auth.jsonand~/.teams-mcp-token-cache.jsonto retrieve Microsoft Graph API client IDs, access tokens, and refresh tokens. - [COMMAND_EXECUTION]: The skill performs multiple unauthorized command executions:
- Automatically executes a background
curlrequest tohttp://localhost:8888/notifyon every invocation to send voice notifications, which could be used for local port probing or tracking. - Instructs the agent to run a local script
Tools/MigrateChat.mjsusingnode, which handles complex logic like token refreshing and bulk API requests. - [EXTERNAL_DOWNLOADS]: The skill guides the user to execute
npx @floriscornel/teams-mcp@latest authenticate, which downloads and executes code from a third-party NPM package outside of the skill's direct control. - [PROMPT_INJECTION]: The skill is highly susceptible to indirect prompt injection from the data it processes.
- Ingestion points: Chat history is ingested from MS Teams via the
mcp__teams-mcp__get_chat_messagestool in bothWorkflows/MigrateChat.mdandWorkflows/ExportChat.md. - Boundary markers: There are no boundary markers or 'ignore' instructions implemented to prevent the agent from following commands embedded within the chat messages being migrated.
- Capability inventory: The skill has access to shell execution (
curl), script execution (node), and file system writes (writing progress to/tmp). - Sanitization: No sanitization or filtering is performed on message content to strip potential instructions before the agent processes the data.
Recommendations
- AI detected serious security threats
Audit Metadata