ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

M365 (Microsoft) Task Manager by altf1be

Manage lightweight Microsoft 365 task workflows with Microsoft To Do and Planner. Use when a user needs to quickly create, assign, track, and follow up opera...

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 24 · 0 current installs · 0 all-time installs
byAbdelkrim from Brussels@Abdelkrim
MIT-0
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (M365 To Do CRUD) align with the included scripts. The env vars (M365_TENANT_ID, M365_CLIENT_ID) and the Microsoft Graph endpoints in the code are appropriate for the stated purpose.
Instruction Scope
SKILL.md instructs the user to register an app, grant delegated Graph scopes, set the two env vars, run npm install, and use the provided CLI commands. Runtime code only accesses the declared env vars and interacts with Microsoft identity (login.microsoftonline.com) and Graph (graph.microsoft.com). The only extra behavior is local token caching (documented).
Install Mechanism
There is no registry install spec (instruction-only), and the code uses standard Node packages (msal-node implied). No arbitrary downloads or extract-from-URL actions are present in the skill bundle. The user must run npm install locally; review package.json before installing.
Credentials
Requested env vars are limited to tenant and client ID (plus an optional token cache path). No client secrets or unrelated credentials are required. These are proportionate for a delegated device-code flow.
Persistence & Privilege
always is false. The skill persists tokens to a local cache file (default: ~/.cache/openclaw/m365-task-manager-token.json). This is expected for offline reuse but means long-lived tokens/refresh tokens are stored on disk; check file location and permissions if that is a concern.
Scan Findings in Context
[no_findings] expected: Pre-scan detected no injection signals; for a small CLI skill this is expected. Static scan also found no unexpected network endpoints or obfuscated code in the provided files.
Assessment
This skill appears to do exactly what it says: it uses delegated Device Code flow and Microsoft Graph to create and manage To Do tasks. Before installing: (1) inspect the package.json and dependency versions that npm will install (msal-node and any transitive deps); (2) ensure the Entra app registration only has the listed delegated scopes (Tasks.ReadWrite, User.Read, offline_access) and is configured as a public client if you don't want to supply a secret; (3) be aware that the skill stores tokens locally (default path shown) — verify the cache file location and permissions or set M365_TOKEN_CACHE_PATH to a secure location; (4) device-code auth will require a human to complete sign-in the first time; and (5) consider creating a dedicated app/tenant or least-privilege account for automation to limit blast radius. If you want higher assurance, request the skill author's package.json and the exact dependency versions before running npm install.
scripts/m365-todo.mjs:60
Environment variable access combined with network send.
!
scripts/m365-todo.mjs:79
File read combined with network send (possible exfiltration).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

Current versionv0.3.0
Download zip
latestvk9771z797e102yts96waqarb3s831kwm

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Clawdis
EnvM365_TENANT_ID, M365_CLIENT_ID
Primary envM365_TENANT_ID

SKILL.md

M365 Task Manager

Use this skill to perform real Microsoft Graph CRUD operations for Microsoft To Do tasks.

Setup

  1. Create an Entra app registration for delegated sign-in.
  2. Add Microsoft Graph delegated permissions:
    • Tasks.ReadWrite
    • User.Read
    • offline_access
  3. Configure environment variables:
M365_TENANT_ID=your-tenant-id-or-common
M365_CLIENT_ID=your-public-client-app-id
# optional
M365_TOKEN_CACHE_PATH=/home/user/.cache/openclaw/m365-task-manager-token.json
  1. Install dependencies at repo root:
npm install

On first run, the script uses Device Code login and caches tokens for reuse.

Commands

# profile connection
node skills/m365-task-manager/scripts/m365-todo.mjs info

# list Microsoft To Do lists
node skills/m365-task-manager/scripts/m365-todo.mjs lists

# list tasks
node skills/m365-task-manager/scripts/m365-todo.mjs tasks:list --list-name "Tasks"

# create task
node skills/m365-task-manager/scripts/m365-todo.mjs tasks:create --list-name "Tasks" --title "2026-03-01-submit-weekly-status-report" --due 2026-03-01

# update task
node skills/m365-task-manager/scripts/m365-todo.mjs tasks:update --list-name "Tasks" --task-id <TASK_ID> --status inProgress

# delete task
node skills/m365-task-manager/scripts/m365-todo.mjs tasks:delete --list-name "Tasks" --task-id <TASK_ID>

Operating standard

  • Task title pattern: <project>-<date>-<person>-<action>
  • Required fields: title, owner, due date, status
  • Status values: Open, In Progress, Blocked, Done

References

  • references/playbook.md for operating guidance.

Scripts

  • scripts/m365-todo.mjs for Graph CRUD on Microsoft To Do.
  • scripts/format-task-name.sh for deterministic task naming.

Author

Abdelkrim BOUJRAF - ALT-F1 SRL - https://www.alt-f1.be

License

MIT

Files

4 total
Select a file
Select a file to preview.

Comments

Loading comments…