Skills
skills/julianobarbosa/claude-code-skills/teams-migration/Gen Agent Trust Hub

teams-migration

Warn

Audited by Gen Agent Trust Hub on Jun 15, 2026

Risk Level: MEDIUMEXTERNAL_DOWNLOADSCREDENTIALS_UNSAFECOMMAND_EXECUTIONDATA_EXFILTRATION
Full Analysis
  • [EXTERNAL_DOWNLOADS]: The skill instructs the agent to execute npx @floriscornel/teams-mcp@latest authenticate, which downloads and runs code from an unverified third-party NPM package at runtime.
  • [CREDENTIALS_UNSAFE]: The script Tools/MigrateChat.mjs directly reads and writes sensitive authentication data from ~/.teams-mcp-token-cache.json and ~/.msgraph-mcp-auth.json to manage Microsoft Graph API tokens.
  • [COMMAND_EXECUTION]: The skill invokes system commands including node to run local migration tools and curl to send data to a local endpoint.
  • [DATA_EXFILTRATION]: The skill performs a network operation to http://localhost:8888/notify using curl. While targeting localhost, this involves sending workflow status data to an unverified local port.
  • [COMMAND_EXECUTION]: The skill implements dynamic loading of configurations and preferences from the directory ~/.claude/skills/PAI/USER/SKILLCUSTOMIZATIONS/TeamsMigration/, allowing local files to override default behavior.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Jun 15, 2026, 04:17 PM
Security Audit — agent-trust-hub — teams-migration