ms365-cli 安全扫描报告 — 低风险 | ClawSafe

10 /100

ms365-cli

Manage Microsoft 365 Emails and Calendar using the ms365 CLI tool

Well-documented Microsoft 365 CLI wrapper that declares shell access and all capabilities transparently with no hidden functionality detected.

技能名称ms365-cli

分析耗时24.1s

引擎pi

✓

可以安装

Skill is safe to use. Consider pinning ms365 CLI version in prerequisites to mitigate supply chain risks.

安全发现 1 项

严重性	安全发现	位置
低危	ms365 CLI package not version pinned 供应链 The SKILL.md instructs users to install ms365 with 'npm install -g ms365' without specifying a version, which could result in running a compromised future version. `npm install -g ms365` → Pin to specific version: npm install -g [email protected]	`SKILL.md:21`

资源类型	声明权限	推断权限	状态	证据
命令执行	`WRITE`	`WRITE`	✓ 一致	SKILL.md declares bash tool, restricted to ms365 CLI
网络访问	`READ`	`READ`	✓ 一致	Microsoft Graph API calls via ms365 CLI (documented)
文件系统	`NONE`	`NONE`	—	No file operations documented
环境变量	`NONE`	`NONE`	—	No env access documented or inferred
凭证访问	`NONE`	`NONE`	—	Explicitly states user must authenticate manually; agent cannot access tokens

1 文件 · 9.7 KB · 219 行

Markdown 1f · 219L

└─ 📝 SKILL.md Markdown 219L · 9.7 KB

包名	版本	来源	已知漏洞	备注
`ms365`	`*`	npm	否	Version not pinned - potential supply chain risk

✓ Comprehensive documentation covering all capabilities

✓ Explicitly states agent cannot authenticate on behalf of user (credential protection)

✓ Authentication requires manual user action via device code flow

✓ All operations are read-only or user-initiated mutations clearly documented

✓ No base64, eval, or obfuscation patterns detected

✓ No hidden functionality or shadow operations

✓ No credential harvesting or environment variable access

✓ Token lifecycle properly documented with logout capability