Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
MS Outlook + Teams Assistant
v1.0.1Track and nag about Microsoft Outlook email and (optionally) Microsoft Teams messages on a Windows machine, without relying on web versions. Use when the user asks to: (1) monitor inbox/mentions and remind them on Telegram/Teams until dismissed, (2) draft short, personable, low-jargon email replies from an existing Outlook thread, (3) surface action items from the last N days (default 7). Works via Outlook Desktop automation (COM) and optionally Microsoft Graph for Teams if configured.
⭐ 0· 2.3k·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
The skill is desktop-first and uses Outlook COM (pywin32) and optional Microsoft Graph for Teams — this matches the description. Minor mismatch: the registry metadata declares no OS restriction or required binaries, but the code requires a Windows environment with Python and the pywin32 (win32com) package for full Outlook functionality. That omission is configuration sloppiness but not functional deception.
Instruction Scope
SKILL.md instructs the agent to scan Outlook, optionally use Graph for Teams via device-code auth, create drafts (not send), and use local state files for dismiss/snooze. The scripts only reference the intended files and APIs (Outlook COM, Microsoft Graph). They do read mailbox contents and Teams messages — which is expected for the stated purpose — and they write local state and token cache files.
Install Mechanism
There is no install spec and no remote download — this is an instruction-and-script bundle. Dependencies are normal Python packages (pywin32, msal, requests) installed via pip as instructed. No suspicious third-party download URLs or archive extraction were used.
Credentials
The skill declares no environment variables but requires configuration values (Outlook mailbox name, Teams tenantId/clientId/scopes) in references/config.json. If Teams is enabled, MSAL will create a token cache file (state/teams_token_cache.bin) containing authentication material. Requesting tenant/client IDs and writing a token cache is proportionate to Graph usage, but the user should treat these files as sensitive.
Persistence & Privilege
The skill writes state files (state/*.json) and a token cache for Graph in state/. It does not set always:true and does not modify other skills. Autonomous invocation is allowed by default (platform normal), so if the agent is granted runtime access the skill could run scans without further manual steps. This is expected for an automation skill but increases the importance of trusting the skill source.
Assessment
This skill appears to do what it says: locally scan Outlook via COM and optionally call Microsoft Graph for Teams. Before installing, consider: (1) you must run it on Windows with Python and pywin32; the metadata does not state that explicitly—confirm your environment. (2) The skill will read your emails/Teams messages and store state and a token cache under the skill directory — treat those files as sensitive and don't commit them to source control. (3) If you enable Teams support you need to register an Entra (Azure AD) app and grant delegated permissions; that requires tenant/admin consent in many orgs. (4) The package source is unknown (no homepage); review the scripts yourself or run in a restricted account/VM if you don’t fully trust the publisher. (5) The skill honors a 'do not auto-send' default, but granting it runtime/autonomous invocation means it can repeatedly read and produce drafts/notifications — enable only if you accept that level of access.Like a lobster shell, security has layers — review code before you run it.
latestvk97d8j1y57vv6eb9byh6ces1b9808a2a
License
MIT-0
Free to use, modify, and redistribute. No attribution required.