The malice is by the author of the malicious skill file.

This is an intrinsic risk associated with giving LLMs access to sensitive material. It's reckless of Microsoft to give an LLM such broad access based on the user's own permissions.

If there were a confirmation prompt for the Teams message, why would even a highly competent user refuse it? That's what the skill says it will do. The message is expected, the visible content is expected, a confirmation prompt is just a nuisance.