ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

EWS Skill

v1.0.0

Extract calendar events from Microsoft Exchange via EWS API

0· 277·0 current·0 all-time
by@basuev
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (EWS calendar extraction) match the files and runtime requirements. Requested binaries (curl, xmllint) and optional keyring tools (security/secret-tool) are appropriate. Required env vars (EWS_URL, EWS_USER) are exactly what an EWS client needs.
Instruction Scope
Runtime instructions and scripts stay within scope: they retrieve the password from the OS keyring, call the configured EWS_URL via curl/NTLM, parse SOAP XML, and return JSON. Notes: (1) there is a fallback path to load credentials from a .env file (plaintext EWS_PASS) for standalone use — the README warns about this; (2) the tool can write raw XML to disk via --debug-xml and may print full HTTP responses on error, which could expose sensitive calendar contents if files/outputs are not protected.
Install Mechanism
No install spec is present (instruction-only skill plus included scripts). That is low-risk; the repository provides shell scripts to run directly. Nothing is downloaded from untrusted URLs or auto-installed by the skill.
Credentials
The skill only requires EWS_URL and EWS_USER in config; the secret (EWS password) is stored in the OS keyring rather than requested as an environment variable, which is proportionate. Caveats: the scripts support a .env fallback (EWS_PASS in plaintext) which increases risk if used; the skill does not request unrelated credentials or broad environment access.
Persistence & Privilege
Skill is not forced-always. It requires the user to enable it in ~/.openclaw/openclaw.json per instructions. It does not modify other skills or system-wide agent settings and does not request permanent elevated privileges.
Assessment
This skill appears to do exactly what it says: read your EWS calendar via NTLM and return JSON. Before installing, verify the skill's source/trust (it has no homepage), review the included scripts yourself, and ensure you configure it to use the OS keyring rather than the .env fallback. If you enable debug XML or use --output files, ensure the output files have strict permissions (chmod 600) or avoid writing them to shared locations. Confirm EWS_URL points to your organization's Exchange server (HTTPS) and remove any plaintext .env files after testing. If you have concerns about third-party code, run the scripts in an isolated environment or inspect them line-by-line (they are small shell scripts).

Like a lobster shell, security has layers — review code before you run it.

latestvk97a13r18rpzj0p2xss6g3f3bn827m2s

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

📅 Clawdis
Binscurl, xmllint
Any binsecurity, secret-tool
EnvEWS_URL, EWS_USER

Comments