Outlook Calendar
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: outlook-calendar Version: 1.0.2 The OpenClaw Outlook Calendar skill is designed to read Microsoft 365 Outlook calendar events. It uses Playwright and Requests to log in, obtain authentication tokens, and query the Outlook API. Sensitive user credentials (email, password) are explicitly instructed to be stored by the user in `~/.outlook/config.json`, outside the skill directory, which is a good security practice. The `SKILL.md` provides clear, non-malicious instructions for the AI agent. While the Playwright scripts use `--no-sandbox` for Chromium, which can be a vulnerability in certain environments, there is no evidence of intentional malicious behavior such as data exfiltration to unauthorized endpoints, backdoor installation, or prompt injection attempts to subvert the agent's core functions or steal unrelated data. All network activity and file operations are consistent with the stated purpose of fetching calendar data.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone or any process that can read the ~/.outlook files could potentially reuse sensitive Microsoft 365 authentication material, and that authority is broader than simply viewing selected calendar events.
The skill requires a Microsoft 365 account password and persists cookies and tokens in local files for reuse.
敏感信息(账号密码、Cookie、Token)存放在 `~/.outlook/` ... "email": "your@company.com", "password": "your_password" ... `cookies.json` ... `token.json`
Prefer an official scoped OAuth/Graph calendar permission, declare the credential requirement clearly, use a protected credential store or restrictive file permissions, and avoid keeping the account password after login.
A cached bearer token can be reused during its lifetime, increasing the impact if the local token file is read by another user, backup process, or compromised tool.
The code captures a live Outlook bearer token from browser traffic and writes it to ~/.outlook/token.json.
if auth.startswith("Bearer ") and "outlook.office.com" in req.url:
owa_token = auth[7:] ... json.dump({"bearer": owa_token, "saved_at": time.time()}, f)Use a least-privilege token flow designed for calendar read access, store tokens securely, and document exactly what permissions the token can exercise.
The agent may consult the corporate calendar when the user’s request is only loosely related to scheduling.
The invocation rule is broad and mandatory for work/task/thing-related prompts, not just explicit calendar requests.
只要用户问任何涉及日程、会议、安排、日历、工作、任务、事情的问题,必须调用此技能。
Narrow the trigger wording or ask for confirmation before reading the calendar for ambiguous work/task questions.
Users depend on whatever package and browser versions are fetched at install time.
The setup requires external packages and a browser download, but the versions are not pinned and there is no formal install spec.
pip install playwright requests playwright install chromium
Pin dependency versions, provide a reviewed install spec or lockfile, and install only from trusted package sources.
Local debug images may reveal sign-in context such as account identifiers or MFA prompts if the directory is shared, backed up, or exposed.
The login flow can persist debug screenshots of Microsoft sign-in/MFA pages under ~/.outlook, and this is not listed in the SKILL.md file structure.
path = OUTLOOK_DIR / f"debug_{name}.png"
page.screenshot(path=str(path)) ... shot(page, f"wait_{i:02d}")Disable debug screenshots by default, disclose them clearly, clean them up after login, and restrict permissions on ~/.outlook.