Outlook Calendar (M365)
WarnAudited by ClawScan on May 10, 2026.
Overview
The skill appears to read Outlook calendars as advertised, but it handles raw Microsoft 365 passwords, cookies, bearer tokens, and login artifacts with broad persistent authority that users should review first.
Only install this if you are comfortable storing Microsoft 365 credentials, cookies, tokens, and login debug artifacts on the local machine. There is no evidence in the provided code of sending these secrets to non-Microsoft endpoints, but a safer design would use scoped OAuth, avoid plaintext passwords, lock down file permissions, and clearly document cleanup.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone or any process that can read ~/.outlook may be able to reuse the account session or token, and the agent can access calendar data without a fresh sign-in while the session remains valid.
The skill explicitly requires a Microsoft 365 account password and stores reusable cookies and bearer tokens locally. This is high-impact account authority and is broader than a narrowly scoped calendar-read credential.
敏感信息(账号密码、Cookie、Token)存放在 `~/.outlook/` ... "password": "your_password" ... cookies.json ... token.json
Prefer Microsoft Graph OAuth with a delegated read-only calendar scope such as Calendar.Read, avoid storing the account password, store tokens in the OS keychain or with strict permissions, and declare the credential/config requirements in metadata.
Local debug files may retain account identifiers, MFA prompts, tenant information, or login URLs after the login task is finished.
The login script persists status logs and repeated screenshots of the Microsoft login/MFA flow under ~/.outlook, but SKILL.md only documents config, cookies, and token files.
STATUS_FILE = OUTLOOK_DIR / "login_status.txt" ... path = OUTLOOK_DIR / f"debug_{name}.png" ... page.screenshot(path=str(path))Disable screenshots by default, document all generated files, redact logs, restrict ~/.outlook permissions, and provide a clear cleanup command for debug artifacts.
The agent may read the Outlook calendar for some vague work/task questions where the user did not clearly ask to access calendar data.
The instructions force tool use for broad categories including work, tasks, and things, not only explicit calendar requests.
只要用户问任何涉及日程、会议、安排、日历、工作、任务、事情的问题,必须调用此技能。
Narrow the trigger to explicit calendar/schedule questions or require confirmation for ambiguous work/task requests before accessing the account.
Installation behavior depends on whatever package/browser versions are available at setup time, which can affect reliability and provenance.
The setup pulls unpinned packages and a browser dependency even though the registry requirements only list python3 and there is no install specification.
pip install playwright requests playwright install chromium
Add an install spec or lockfile with pinned package versions and document the Playwright browser dependency in registry metadata.