msgraph-teams

SUSPICIOUS. The skill’s Teams-notification purpose aligns with its messaging capabilities and Azure Graph credentials, but the main execution path fetches and runs an unpinned npm package whose official provenance was not verified in the provided evidence. Because that external package receives Azure client secrets and can perform outbound Teams actions, the overall risk is high despite generally coherent functionality.