Outlook-email
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user would be trusting external, unreviewed code to access their Outlook mailbox and perform send/read actions.
The reviewed package has no `outlook` script or install spec, so the executable that would handle credentials and email actions is fetched outside the reviewed artifacts.
git clone https://github.com/abhiramee08b021/outlook-cli.git cd outlook-cli
Include the CLI code in the skill package or pin a reviewed commit; users should inspect the GitHub repository before running it.
If these stored credentials are mishandled or compromised, they could enable continued access to read or send Outlook email.
The tool stores sensitive OAuth material for mailbox access; the registry metadata declares no primary credential or required config path, and the implementation is not present for review.
config.json - Client ID and secret - `tokens.json` - OAuth tokens (auto-generated)
Use a dedicated Azure app registration, verify the requested Microsoft Graph scopes, protect `~/.config/outlook-cli/`, and revoke/remove tokens when no longer needed.
An accidental or poorly reviewed send/reply command could email the wrong recipients or send unintended content.
Sending and replying are core email-client features, but they mutate a real account and can affect other people.
`outlook send --to ...` | Send email | | `outlook reply <id>` | Reply to email |
Review recipients, message body, and reply-all behavior before allowing the agent to send or reply.