registry  /  @zapier/microsoft-outlook-connector  /  0.2.5

@zapier/microsoft-outlook-connector@0.2.5

Agent-callable Microsoft Outlook tools — read and search mail, send/reply/forward, organize messages and folders, manage calendar events, and manage contacts. Use when the user mentions Outlook, Microsoft 365 mail/calendar/contacts, or wants to send, read

AI Security Review

scanned 2h ago · by lpm-firewall-ai

Several list tools accept an unrestricted pagination cursor and use it as a fetch URL. With the direct environment-token resolver, that request includes the Microsoft Graph bearer token. This creates caller-triggered credential exfiltration rather than confirmed intentional malware.

Static reason
No blocking static signals were detected.; previous stored version diff introduced dangerous source
Trigger
Invoke a list tool with `connection` using the env-token resolver and a malicious `cursor` URL.
Impact
An attacker controlling tool input can receive the configured Microsoft Graph access token and act within its granted permissions.
Mechanism
Unvalidated cursor URL forwarded through bearer-authenticated fetch.
Rationale
The package is not shown to be intentionally malicious and has no install-time attack behavior, but its unrestricted cursor handling can exfiltrate a direct Microsoft Graph bearer token. Flag as a critical source-level vulnerability pending a fix that restricts cursors to Microsoft Graph pagination URLs.
Evidence
connections.tsscripts/listMessages.tsscripts/listAttachments.tsscripts/listCalendars.tsscripts/listCalendarView.tsscripts/listContacts.tsscripts/listEvents.tsscripts/listMailFolders.tsdist/index.jspackage.jsoncli.js
Network endpoints1
graph.microsoft.com/v1.0

Decision evidence

public snapshot
AI called this Suspicious at 93.0% confidence as Critical Vulnerability with low false-positive risk.
Evidence for warning
  • `connections.ts` wraps arbitrary fetch inputs with `Authorization: Bearer <token>`.
  • `scripts/listMessages.ts`, `listEvents.ts`, `listContacts.ts`, and related list tools pass user-supplied `cursor` directly as the request URL.
  • `dist/index.js` confirms each cursor is sent through `outlookFetch(ctx.fetch, ...)` without host validation.
  • A caller can supply a non-Graph cursor URL, causing the direct env-token resolver to send its bearer token to that URL.
Evidence against
  • `package.json` has no preinstall, install, postinstall, prepare, or uninstall hook.
  • Observed built output targets Microsoft Graph at `https://graph.microsoft.com/v1.0` for normal tool operations.
  • `cli.js` only spawns the package's own compiled/source CLI and performs a temporary writability probe when `dist/` is absent.
  • No payload download, shell execution beyond the CLI dispatcher, persistence, or AI-client config mutation was found.
Behavioral surface
Source
ChildProcessFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 37 file(s), 160 KB of source, external domains: graph.microsoft.com, learn.microsoft.com

Source & flagged code

1 flagged · loading source
dist/index.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @zapier/microsoft-outlook-connector@0.2.4 matchedIdentity = npm:[redacted]:0.2.4 similarity = 0.919 summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/index.jsView on unpkg

Findings

1 High1 Medium4 Low
HighPrevious Version Dangerous Deltadist/index.js
MediumNetwork
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings