Outlook Delegate
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: outlook-skill-clawhub Version: 1.0.0 The skill provides extensive delegate access to an owner's Outlook mailbox and calendar, requiring broad permissions (Mail.ReadWrite.Shared, Mail.Send.Shared, Calendars.ReadWrite.Shared). It necessitates and stores highly sensitive credentials, including `client_secret` and OAuth tokens, locally in `~/.outlook-mcp/config.json` and `~/.outlook-mcp/credentials.json`. While the `SKILL.md` documentation is transparent about these requirements and warns about protecting the credentials, the inherent power of the skill and the local storage of critical secrets represent significant security risks, classifying it as suspicious due to its high-risk capabilities rather than explicit malicious intent.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the assistant, its account, or the app credentials are misused, the owner's mail and calendar could be read, changed, or used to send messages on the owner's behalf.
The skill asks for broad delegated Microsoft 365 authority over the owner's mailbox and calendar, plus persistent OAuth refresh capability.
Mail.ReadWrite.Shared, Mail.Send.Shared, Calendars.ReadWrite.Shared, User.Read, offline_access ... Add-MailboxPermission ... -AccessRights FullAccess ... Set-Mailbox ... -GrantSendOnBehalfTo
Grant only the minimum needed permissions, use a dedicated delegate account, audit Microsoft 365 activity, store secrets securely, and revoke delegate/OAuth access when no longer needed.
An incorrect or over-eager agent action could send an email, reply to someone, delete or move mail, or create calendar events in the owner's account.
The documented workflows include destructive or externally visible actions, but the provided instructions do not include confirmation, preview, or rollback requirements.
./scripts/outlook-mail.sh delete <id> ... send <to> <subj> <body> ... reply <id> "body" ... ./scripts/outlook-calendar.sh create <subj> <start> <end>
Require explicit user approval before sending, replying, deleting, moving, or creating events; preview message bodies and recipients; and prefer reversible actions where possible.
Email and calendar content may include sensitive information or untrusted third-party text that should not be treated as instructions for the agent.
The skill is intended to retrieve private mailbox and calendar content into the assistant's working context.
./scripts/outlook-mail.sh read <id> # Read email content ... ./scripts/outlook-calendar.sh events [count] # Owner's upcoming events
Retrieve only what is needed, avoid storing or reusing sensitive mail content unnecessarily, and treat message bodies as untrusted data rather than agent instructions.
The registry scan cannot confirm what those helper scripts would actually do if supplied from elsewhere.
The skill references helper scripts, but the supplied artifact set contains only SKILL.md and no reviewed implementation files.
./scripts/outlook-token.sh refresh ... ./scripts/outlook-mail.sh inbox [count] ... ./scripts/outlook-calendar.sh events [count]
Inspect and trust the actual scripts before running them, and avoid using unreviewed helper code with Microsoft 365 credentials.