Trust Assessment
ms-outlook-teams-assistant received a trust score of 13/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 7 findings: 1 critical, 3 high, 3 medium, and 0 low severity. Key findings include Arbitrary command execution, Dangerous call: subprocess.run(), Suspicious import: requests.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 56/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings7
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/abhinavjp/ms-outlook-teams-assistant/scripts/scan_all.py:44 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function '_run_json_to_file'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | skills/abhinavjp/ms-outlook-teams-assistant/scripts/scan_all.py:44 | |
| HIGH | Sensitive user data cached locally and prepared for external transmission The skill stores sensitive user communication data (email subjects, senders, recipients, body snippets, Teams message previews, topics, web URLs) in local JSON files (`state/latest_outlook.json`, `state/latest_teams.json`, `thread.json`). The `SKILL.md` explicitly states that the agent should send the output of reminders (which are generated from these cached files) to Telegram. This creates a clear and intended path for sensitive data to be exfiltrated via the agent's external communication capabilities. 1. Implement stricter data sanitization or redaction for sensitive fields before caching or preparing for external transmission. 2. Ensure the agent's external communication channels (e.g., Telegram) are secure and that the user is fully aware of what data is being sent. 3. Consider encrypting cached sensitive data at rest. 4. Provide clear user consent mechanisms for sending communication content externally. | LLM | SKILL.md:70 | |
| HIGH | Microsoft Graph access tokens stored unencrypted on disk The `scripts/teams_scan.py` script uses MSAL to acquire access tokens for Microsoft Graph. These tokens, including potentially refresh tokens, are stored unencrypted in `state/teams_token_cache.bin`. If this file is compromised, an attacker could gain unauthorized access to the user's Microsoft Teams data and other Graph-accessible resources without needing to re-authenticate. 1. Implement encryption for the `teams_token_cache.bin` file at rest. 2. Ensure appropriate file system permissions are set to restrict access to the token cache. 3. Consider using a secure credential store (e.g., OS-level credential manager) instead of a plain file for storing tokens. 4. Educate users about the sensitivity of this file and the risks of its compromise. | LLM | scripts/teams_scan.py:120 | |
| MEDIUM | Suspicious import: requests Import of 'requests' detected. This module provides network or low-level system access. Verify this import is necessary. Network and system modules in skill code may indicate data exfiltration. | Static | skills/abhinavjp/ms-outlook-teams-assistant/scripts/teams_scan.py:26 | |
| MEDIUM | Broad programmatic access to Outlook Desktop via COM The skill uses `win32com.client.Dispatch("Outlook.Application")` to interact with Outlook Desktop. This grants the script full programmatic control over the Outlook application, including the ability to read, create, modify, and potentially send emails, manage contacts, and access other sensitive data. While the skill's stated intent is limited to drafting and scanning, the underlying COM object provides capabilities far beyond these stated needs, posing a risk if the skill's code were to be maliciously altered or if the agent were to be prompted to misuse these capabilities. 1. If possible, explore more granular APIs or methods that restrict access to only the necessary functions (e.g., read-only access if only scanning is needed). 2. Implement robust input validation and sanitization for any user-controlled parameters that interact with the COM object to prevent abuse. 3. Clearly document the full scope of permissions granted by COM automation to the user. | LLM | scripts/draft_reply.py:24 | |
| MEDIUM | Configurable Microsoft Graph scopes allow for excessive permissions The skill's `config.json` allows the user to specify `teams.scopes` for Microsoft Graph API access. While the skill's current functionality (scanning and reminding) primarily requires read-only access to chats, the configuration allows for potentially broader scopes (e.g., `Chat.ReadWrite`, `Mail.ReadWrite`, `User.ReadWrite.All`). If an overly broad scope is configured, it could grant the skill (and by extension, the agent) more permissions than necessary, increasing the attack surface if the skill or agent is compromised. The default `User.Read` mentioned in `acquire_token` is likely insufficient for the stated functionality of reading chats, implying that broader scopes *will* be configured by the user. 1. Clearly document the minimum required Microsoft Graph scopes for the skill's functionality. 2. Advise users to configure only the least privileged scopes necessary. 3. If possible, implement checks within the skill to warn if overly broad scopes are detected. | LLM | SKILL.md:40 |
Scan History
Embed Code
[](https://skillshield.io/report/4020e9732fe71294)
Powered by SkillShield