M365 (Microsoft) Task Manager by altf1be
ReviewAudited by ClawScan on May 10, 2026.
Overview
This skill appears to do what it claims—manage Microsoft To Do tasks through Microsoft Graph—but it can change/delete tasks and caches a Microsoft login token for reuse.
Before installing, confirm you are comfortable granting Microsoft Graph To Do read/write access and offline token reuse, review the npm dependency setup, and use update/delete commands only for tasks you explicitly intend to modify.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If used incorrectly, the agent could update or delete Microsoft To Do tasks in the signed-in account.
The skill exposes real update and delete operations for Microsoft To Do tasks. This matches the task-manager purpose, but it can modify or remove user account data.
node skills/m365-task-manager/scripts/m365-todo.mjs tasks:update ... node skills/m365-task-manager/scripts/m365-todo.mjs tasks:delete ...
Use destructive or modifying commands only when the user has clearly identified the target list/task and intended change; consider confirming before delete operations.
Installing and using the skill grants it delegated access to the signed-in Microsoft account for To Do task management and token reuse.
The script requests delegated Microsoft Graph permissions that allow reading the signed-in user's profile and reading/writing To Do tasks, with offline_access for token refresh.
const SCOPES = ['User.Read', 'Tasks.ReadWrite', 'offline_access'];
Use a dedicated Entra app with only the listed permissions, sign in with the intended account, and revoke the app/token if you no longer use the skill.
Anyone who can access the local token cache may be able to reuse the Microsoft session until tokens expire or are revoked.
The skill stores authentication state locally so future runs can access Microsoft Graph without another interactive login. This is disclosed and purpose-aligned, but it is persistent sensitive session material.
Token cache: local file for unattended reuse after first login
Keep the cache path in a private user directory, protect local file permissions, and delete the cache or revoke consent when access is no longer needed.
Users may need to trust the repository/package environment outside the reviewed files to install the required Node dependency.
The skill requires a manual npm dependency install, while the provided artifacts do not include an install spec or package/lock metadata showing exact dependency versions.
Install dependencies at repo root: ```bash npm install ```
Review the repository package files and dependency versions before running npm install, and prefer pinned/locked dependencies.