Microsoft Ops Gadget — CLI for Microsoft 365 (Mail, Calendar, Drive, Contacts, Tasks, Word, PowerPoint, Excel, OneNote).
Security Analysis
medium confidenceThe skill's code and instructions match a Microsoft Graph CLI (mog) and appear coherent with the description, but there are notable metadata/instruction mismatches and a prompt-injection indicator that you should review before installing.
The name/description, README, SKILL.md and included Go sources implement a Microsoft 365 CLI using Microsoft Graph (mail, calendar, drive, contacts, tasks, Office file operations). The code files and documented commands align with the stated purpose. Note: the package includes full source code (many .go files) even though the registry metadata described the skill as instruction-only (no install spec) — that's an inconsistency to be aware of but not necessarily malicious.
Runtime instructions (SKILL.md) are within expected scope: create an Azure AD app, run device-code auth, use mog auth login, and call the CLI commands. The docs ask to store tokens in ~/.config/mog and to use --body-file for message bodies; they do not instruct the agent to read arbitrary unrelated host files or exfiltrate data to unknown endpoints. The code uses exec to open a browser for device flow, which is expected for this workflow.
No install spec is present in registry metadata (skill treated as instruction-only), but the bundle contains full source, Taskfile, and build/install instructions (go install / go build). There are no downloads from unknown URLs or extract steps in the manifest. The absence of an install spec while shipping source is unusual but not necessarily dangerous — it means an operator would build/run the binary locally rather than the platform auto-installing arbitrary binaries.
Registry metadata lists no required environment variables or config paths, but SKILL.md and the code clearly reference/store sensitive material: MOG_CLIENT_ID (env alternative to CLI flag), and local OAuth tokens at ~/.config/mog/tokens.json (or OS keyring). The skill effectively requires an Azure AD client ID and will obtain OAuth tokens; those sensitive items are not declared in the metadata. That mismatch reduces transparency and is worth flagging to users who expect declared required credentials.
The skill does not request always: true and does not attempt to modify other skills or system-wide agent settings in the provided sources. It stores tokens and caches slugs under the user's config directory (~/.config/mog), which is normal for a CLI that performs OAuth device flow.
Guidance
What to consider before installing/using this skill: - Source verification: the skill bundle includes full Go source but the registry metadata gives no homepage and an opaque owner ID. Prefer to install only from a known upstream (GitHub repo or the project's official release). If you plan to use it, fetch the code from the upstream repository (if available) and build locally rather than executing pre-built artifacts from an unknown source. - Credentials and tokens: the CLI uses OAuth device flow and will store tokens in ~/.config/mog/tokens.json (or OS keyring). Create and use your own Azure AD App (client id) as instructed; do not reuse a public/shared client id. Expect the CLI to request wide Microsoft Graph delegated permissions (Mail.ReadWrite, Files.ReadWrite.All, Calendars.ReadWrite, etc.) — grant only what you trust. - Metadata mismatch: registry metadata lists no required env vars/config paths, but SKILL.md and code reference MOG_CLIENT_ID and local config files. Treat the metadata as incomplete and verify the declared requirements yourself. - Inspect the code for hidden behavior: the pre-scan flagged unicode control characters in SKILL.md — view the raw files to confirm there are no hidden prompt injection strings or obfuscated endpoints. Also review internal/graph/client.go (not fully shown here) to confirm the HTTP endpoints are Microsoft Graph APIs rather than unexpected servers. - Build and run locally: if you decide to use the tool, clone the repository and build it locally (go build/go install) and run tests. Running on your machine gives you more control over what is executed and lets you audit the binary and source before trusting it with OAuth scopes. - Least privilege: when registering your Azure AD app, grant only the delegated permissions you need, and consider creating a test account with limited data for initial evaluation. If you want, I can: - Extract and show any remaining unreviewed files (graph client code) for a closer look, - Show commands to build/run the project locally and inspect tokens/config, - Highlight exact locations of any non-printing/unicode-control characters found in SKILL.md.
Latest Release
v0.3.1
- Added comprehensive SKILL.md documentation covering all modules, commands, usage examples, and configuration details. - Improved clarity on slug usage, credential storage locations, and command aliases. - Provided a quick start guide and detailed instructions for obtaining in-depth help with mog.
More by @visionik
Published by @visionik on ClawHub
