ClawHub

OfficeClaw

v1.0.4

Connect to personal Microsoft accounts via Microsoft Graph API to manage email, calendar events, and tasks. Use this skill when the user needs to read/write...

2· 811·4 current·4 all-time
byDaniel Thomas@danielithomas
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The name/description match the requested resources: network access to graph.microsoft.com, a Python/CLI client, and one-time OAuth device-code setup. Required binaries (python/officeclaw) and the documented env vars (OFFICECLAW_CLIENT_ID, optional feature gates and allowlist) are appropriate for a Graph API client.
Instruction Scope
SKILL.md confines actions to installing the officeclaw package, performing device-code OAuth, and running CLI commands to read/write mail, calendar, and tasks. It documents where tokens are stored (~/.officeclaw/token_cache.json) and explicitly recommends least-privilege scopes and an allowlist for sending — all within the expected scope.
Install Mechanism
The skill is instruction-only (no install spec in the registry) and instructs users to pip install officeclaw from PyPI. Installing a third-party PyPI package is a normal approach but carries the usual supply-chain risk; the registry bundle itself does not contain executable code.
Credentials
No unrelated credentials are requested. The env vars referenced (OFFICECLAW_CLIENT_ID, feature gates, and allowed recipients) directly map to OAuth and safety controls for mailing operations. Token storage in the user's home directory is typical for a CLI OAuth flow.
Persistence & Privilege
The skill is not set to always:true, is user-invocable, and stores its own tokens under ~/.officeclaw — behavior consistent with a user-authorized CLI client. It does not request system-wide or other skills' configuration access.
Assessment
This skill appears coherent and implements a typical Microsoft Graph CLI workflow, but be aware: (1) the registry entry is instruction-only — the actual code runs from the officeclaw PyPI package, so inspect the package (or its GitHub repo) before installing; (2) prefer creating your own Azure app registration and set OFFICECLAW_CLIENT_ID rather than using any default app; (3) follow least-privilege advice when granting permissions and keep write/send/delete features disabled unless needed; (4) if you enable sending, configure OFFICECLAW_ALLOWED_RECIPIENTS to limit who the agent can message; and (5) verify the token cache (~/.officeclaw/token_cache.json) permissions and review the installed package for unexpected network calls or behaviors.

Like a lobster shell, security has layers — review code before you run it.

latestvk9735xemdjmxbxx6jzz6c4vshh84647r

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

OSmacOS · Linux · Windows
Any binpython, python3, officeclaw

Comments