ClawHub

ExchangeService

v1.0.1

Cross-platform (Linux/macOS/Windows) skill for Exchange Server 2016 CU21 EWS operations on OpenClaw Node.js runtime.

0· 151·0 current·0 all-time
by@jokermec
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (Exchange EWS on‑prem ops) align with the included Node.js scripts and the declared requirements (node/npm, Exchange URL/username/auth/password, master key). The single npm dependency (httpntlm) is appropriate for NTLM/EWS access.
Instruction Scope
SKILL.md and scripts limit activity to building and sending EWS SOAP requests (mail/folders/calendar). Write operations require explicit confirmation. Note: many optional environment variables and defaults are referenced by scripts (verify flags, mailbox overrides, long default time windows like 3650 days, etc.); these are not all listed as required in the metadata but are plausible optional settings. There is no instruction to read unrelated system files or contact unexpected external endpoints.
Install Mechanism
No platform install spec is declared (instruction-only), but the package includes package.json and many scripts and instructs users to run 'npm install'. That will fetch dependencies from the npm registry (httpntlm and transitive deps). This is expected for a Node.js skill; verify you trust npm packages before installing. Minor packaging typo in package.json version field ("1..0").
Credentials
Required env vars (EXCHANGE_URL, EXCHANGE_USERNAME, EXCHANGE_AUTH_MODE, EXCHANGE_PASSWORD, EXCHANGE_SKILL_MASTER_KEY) are proportionate to an EWS client that stores an encrypted local config. The primary credential is the Exchange password. Scripts reference additional optional env vars for defaults and verification; these are reasonable but not strictly required.
Persistence & Privilege
Skill is not marked always:true and does not request system‑wide modifications. It will create/modify its own config file (config/exchange.config.json) and store encrypted secrets using the provided master key — this is expected behavior for the stated purpose.
Assessment
This package appears to be a legitimate on‑prem Exchange EWS client. Before installing: 1) Only provide EXCHANGE_URL/USERNAME/PASSWORD and the SKILL_MASTER_KEY if you trust the skill author and your environment; the master key encrypts local config but must be protected. 2) npm install will pull httpntlm from the public registry — review package versions if you have a strict supply‑chain policy. 3) The default search scope/time window (all folders, 3650 days) can return a large amount of mail; explicitly narrow parameters when running read commands. 4) Review the included crypto-store, connection, and ews-ops source files if you need to verify exactly how secrets are handled or transmitted. 5) Run the skill in an isolated/test environment if you are unsure, and avoid giving these credentials to untrusted third parties.

Like a lobster shell, security has layers — review code before you run it.

latestvk97anant9fkexhy0hcbn3q61k5832hq6

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

✉️ Clawdis
Binsnode, npm
EnvEXCHANGE_URL, EXCHANGE_USERNAME, EXCHANGE_AUTH_MODE, EXCHANGE_PASSWORD, EXCHANGE_SKILL_MASTER_KEY
Primary envEXCHANGE_PASSWORD

Comments