MS Outlook + Teams Assistant
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: ms-outlook-teams-assistant Version: 1.0.1 The skill is classified as suspicious due to its use of high-risk capabilities, specifically interacting with sensitive communication data via Outlook Desktop automation (pywin32 COM in `scripts/scan_outlook.py`, `scripts/draft_reply.py`) and Microsoft Graph API for Teams (`scripts/teams_scan.py`). While these capabilities are plausibly needed for the stated purpose of tracking messages and drafting replies, they involve network access to `graph.microsoft.com` and handling of authentication tokens, as well as access to email and chat content. There is no clear evidence of intentional malicious behavior such as unauthorized data exfiltration or persistence, and the `SKILL.md` explicitly states safety defaults like 'Do not auto-send emails or Teams messages' and 'Create drafts', which mitigates immediate malicious intent but the inherent power of the skill warrants a 'suspicious' classification.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A local token cache may allow continued access to Teams/Graph data under the signed-in user's delegated permissions.
The optional Teams mode stores an MSAL delegated token cache locally so repeated Graph scans can run without a new sign-in. This is expected for the feature, but it is sensitive account-access material.
cache_path = tcfg.get("tokenCachePath") or os.path.join("state", "teams_token_cache.bin") ... f.write(cache.serialize())Use least-privilege Graph scopes, avoid ChatMessage.Send unless truly needed, keep the state directory private, and delete the token cache when disabling or uninstalling the skill.
Email or Teams subjects, sender names, snippets, and links may appear in Telegram or another reminder destination.
Reminder output can be sent to an external messaging channel. This is disclosed and core to the nagging workflow, but it can carry private message metadata or previews.
For reminders: send to Telegram by default; only send to Teams if explicitly enabled. ... The agent should send the output to Telegram if non-empty.
Verify the configured reminder target, use report/no-send mode for sensitive mailboxes, and avoid sending previews to channels other people can access.
Private email content may remain in local files such as thread.json after a draft is generated.
Drafting writes up to 8000 characters of an email body into a local JSON context file. This is purpose-aligned for reply drafting, but it leaves message content on disk.
"body": (target.Body or "")[:8000], ... with open(args.out, "w", encoding="utf-8") as f: json.dump(data, f, ensure_ascii=False, indent=2)
Store output files in a protected location, delete draft context files after use, and do not commit state or context files to source control.
Installing Python packages adds local code from package sources to the machine.
The skill requires a user-directed package install for Outlook automation. This is central to the Windows desktop purpose, but it is still a supply-chain step users should verify.
Install the Python dependency (ask before doing this on the machine): - `pip install pywin32`
Install dependencies from trusted package indexes, consider pinning versions, and review the included scripts before running them.