Outlook Plus
WarnAudited by ClawScan on May 10, 2026.
Overview
Outlook Plus appears to be a real Microsoft Graph Outlook integration, but it grants persistent mail/calendar write and send access and has unsafe mutation paths that should be reviewed before use.
Use this skill only if you want an agent to access and manage your Outlook mail and calendar. Before installing, verify the source, review the Microsoft consent scopes, protect the ~/.outlook-mcp credential files, and avoid allowing the agent to send, delete, or modify items without your explicit confirmation.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A mistaken or prompt-influenced command could modify or delete Outlook data without the user clearly choosing the exact item.
The delete path does not validate that EVENT_ID is present before suffix matching. Because an empty suffix can match any event ID, a missing or empty argument can select and delete the first returned event.
find_event_id() { ... jq -r --arg id "$EVENT_ID" '.value[] | select(.id | endswith($id)) | .id' | head -1; } ... delete) EVENT_ID="$2"; FULL_ID=$(find_event_id "$EVENT_ID"); ... curl ... -X DELETE "$API/calendar/events/$FULL_ID"Require non-empty IDs, prefer exact IDs or an explicit selection step, and add confirmation prompts or dry-run output before send, delete, move, archive, and calendar update/delete actions.
Anyone who can use or steal the stored tokens may read, send, change, or delete mail/calendar data within the granted scopes.
The skill clearly discloses delegated Microsoft Graph permissions and local credential storage. These permissions are expected for the Outlook management purpose, but they grant broad account access.
Configure API permissions (Mail.ReadWrite, Mail.Send, Calendars.ReadWrite) ... Save credentials to `~/.outlook-mcp/`
Install only on trusted machines, review the Microsoft consent screen carefully, protect ~/.outlook-mcp, and revoke the Azure app or tokens when no longer needed.
A malicious email could contain text that tries to persuade the agent to send mail, delete items, or reveal sensitive information.
Email bodies from external senders are returned into the agent context. The script strips some HTML and truncates content, but the artifacts do not add guidance to treat message text as untrusted instructions.
read) ... curl -s "$API/messages/$FULL_ID?...body..." ... jq '{ ... body: ... .body.content ... .[0:2000] ... }'Treat all email and calendar content as untrusted data, not instructions, and require explicit user confirmation before taking account-changing actions based on message contents.
It is harder to verify that the reviewed package exactly matches the registry listing and intended maintainer.
The bundled metadata differs from the supplied registry metadata, which lists a different owner ID, slug `outlook-plus`, and version `1.9.0`. This is a provenance inconsistency, not evidence of malicious behavior.
"ownerId": "kn7d9cz2hq6kr5vs1gxqghbne17zxc5q", "slug": "outlook", "version": "1.4.0"
Verify the source repository and registry package before granting OAuth permissions, and align the bundled metadata with the published listing.