skills/mukul975/anthropic-cybersecurity-skills/post-exploiting-microsoft-graph-with-graphrunner/Snyk
post-exploiting-microsoft-graph-with-graphrunner
Fail
Audited by Snyk on Jun 25, 2026
Risk Level: CRITICAL
Full Analysis
CRITICAL E005: Suspicious download URL detected in skill instructions.
- Suspicious download URL detected (high risk: 0.70). The URLs are legitimate (GitHub, Microsoft Graph, Black Hills InfoSec, Apache) and not obfuscated or using shorteners, but they point to a dual‑use PowerShell post‑exploitation tool (GraphRunner) and related repos that can be used to compromise M365 tenants — so they are safe as hosting sources but high‑risk to download/run without authorization or review.
CRITICAL E006: Malicious code pattern detected in skill scripts.
- Malicious code pattern detected (high risk: 1.00). This codebase is an explicit post-exploitation toolkit: it acquires/imports Microsoft Graph access tokens, enumerates tenant users/groups/grants, searches and downloads mail/SharePoint/Drive/Teams data (data exfiltration), and provides deliberate persistence/backdoor capabilities (injecting OAuth apps, creating hidden inbox forwarding rules, adding group members / cloning groups) — all clear indicators of intentional malicious/abusive functionality when used without authorized scope.
MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).
- Potentially malicious external URL detected (high risk: 0.90). The skill's prerequisites instruct cloning and importing the remote PowerShell module (git clone https://github.com/dafthack/GraphRunner.git followed by Import-Module .\GraphRunner.ps1), which fetches and executes external code at runtime (remote repository URL: https://github.com/dafthack/GraphRunner.git).
Issues (3)
E005
CRITICALSuspicious download URL detected in skill instructions.
E006
CRITICALMalicious code pattern detected in skill scripts.
W012
MEDIUMUnverifiable external dependency detected (runtime URL that controls agent).
Audit Metadata