中文 EN

Scan Report

Scan New Files

Low Risk — Risk Score 10/100
Last scan:1 day ago Rescan
10 /100
ms365-cli
Manage Microsoft 365 Emails and Calendar using the ms365 CLI tool
Well-documented Microsoft 365 CLI wrapper that declares shell access and all capabilities transparently with no hidden functionality detected.
Skill Namems365-cli
Duration24.1s
Enginepi
Safe to install
Skill is safe to use. Consider pinning ms365 CLI version in prerequisites to mitigate supply chain risks.

Findings 1 items

Severity Finding Location
Low
ms365 CLI package not version pinned Supply Chain
The SKILL.md instructs users to install ms365 with 'npm install -g ms365' without specifying a version, which could result in running a compromised future version.
npm install -g ms365
→ Pin to specific version: npm install -g [email protected]
 SKILL.md:21
ResourceDeclaredInferredStatusEvidence
Shell WRITE WRITE ✓ Aligned SKILL.md declares bash tool, restricted to ms365 CLI
Network READ READ ✓ Aligned Microsoft Graph API calls via ms365 CLI (documented)
Filesystem NONE NONE No file operations documented
Environment NONE NONE No env access documented or inferred
credential_theft NONE NONE Explicitly states user must authenticate manually; agent cannot access tokens

File Tree

1 files · 9.7 KB · 219 lines
Markdown 1f · 219L
└─ 📝 SKILL.md Markdown 219L · 9.7 KB

Dependencies 1 items

PackageVersionSourceKnown VulnsNotes
ms365 * npm No Version not pinned - potential supply chain risk

Security Positives

✓ Comprehensive documentation covering all capabilities
✓ Explicitly states agent cannot authenticate on behalf of user (credential protection)
✓ Authentication requires manual user action via device code flow
✓ All operations are read-only or user-initiated mutations clearly documented
✓ No base64, eval, or obfuscation patterns detected
✓ No hidden functionality or shadow operations
✓ No credential harvesting or environment variable access
✓ Token lifecycle properly documented with logout capability