office365-connector

The skill consists of several Node.js scripts and markdown documentation. A thorough analysis of all files was conducted, focusing on the 9 threat categories.

1. Prompt Injection: No patterns indicative of prompt injection were found in any of the markdown files or JavaScript code.
2. Data Exfiltration: The skill handles sensitive data such as Azure client secrets and OAuth tokens. These are stored locally in ~/.openclaw/auth/office365-accounts.json and ~/.openclaw/auth/office365/*.json. The skill explicitly sets secure file permissions (0o600 for files, 0o700 for directories) for these sensitive files, which is a strong security practice. All network communications are directed to trusted Microsoft domains (login.microsoftonline.com, graph.microsoft.com) for authentication and API interactions. No attempts to exfiltrate data to untrusted external domains were detected.
3. Obfuscation: No obfuscation techniques (e.g., Base64 encoding, zero-width characters, homoglyphs, URL/hex/HTML encoding) were found in any part of the skill's code or documentation.
4. Unverifiable Dependencies: All require() statements in the JavaScript files are for built-in Node.js modules (fs, path, https, url) or local files within the skill's directory (./accounts.js, ./auth.js, etc.). There are no external package installations (npm install, pip install) executed by the skill itself, nor are there references to unverified external scripts or URLs. References to GitHub and Microsoft documentation are from trusted sources.
5. Privilege Escalation: No commands or code patterns (e.g., sudo, chmod +x on arbitrary files, modification of system files) that would attempt to escalate privileges were found. The use of chmod 0o600 and 0o700 is for securing the skill's own configuration, which is a security hardening measure.
6. Persistence Mechanisms: The skill stores account configurations and authentication tokens in the user's ~/.openclaw/auth/ directory. This is for the legitimate functional persistence of the skill (to maintain user authentication across sessions) and does not constitute a malicious persistence mechanism to maintain unauthorized access.
7. Metadata Poisoning: The _meta.json file and the name/description fields in SKILL.md, along with other documentation, were checked for malicious instructions. No such patterns were found.
8. Indirect Prompt Injection: The skill is designed to process external content (emails, calendar events) from the user's Microsoft 365 account. As with any skill that interacts with external user-generated data, there is an inherent risk of indirect prompt injection if the processed content contains malicious instructions. The skill's documentation (references/permissions.md) appropriately details the permissions requested and the data accessed, providing transparency to the user about these interactions. This is an informational risk inherent to the skill's function, not a vulnerability in its implementation.
9. Time-Delayed / Conditional Attacks: No suspicious conditional logic (e.g., based on specific dates, usage counts, or environment variables) designed to trigger malicious behavior at a later time was detected. Date checks are used legitimately for token expiration management.