Outlook
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If authorized, the skill can read and change email and calendar data, send messages, and remain signed in until access is revoked or tokens are removed.
The skill explicitly requests broad delegated Microsoft Graph permissions, including mail/calendar write access and persistent refresh-token access.
- `Mail.ReadWrite` - Read and modify emails - `Mail.Send` - Send emails - `Calendars.ReadWrite` - Read and modify calendar events - `offline_access` - Refresh tokens (stay logged in)
Grant consent only for an account where this level of agent access is acceptable, and revoke the Azure app or delete ~/.outlook-mcp if you stop using the skill.
A mistaken or poorly reviewed invocation could send an unintended email or change mailbox state.
The mail helper exposes direct Microsoft Graph mutation actions such as sending email; other documented commands delete, archive, flag, and mark messages.
send)
# Send email: outlook-mail.sh send "to@email.com" "Subject" "Body"
...
-X POST "$API/sendMail"Review recipients, message bodies, message IDs, and calendar event IDs before allowing the agent to perform send, reply, delete, move, or update actions.
Users may not realize from metadata alone that setup modifies Azure app registration state and creates local credential files.
The setup process depends on local tools and creates Azure account configuration, while registry metadata lists no required binaries or credential/config requirements.
# Requires: Azure CLI, jq ./scripts/outlook-setup.sh The setup script will: 1. Log you into Azure ... 2. Create an App Registration automatically
Read the setup script before running it, verify Azure CLI and jq are trusted installations, and confirm the created Azure app and permissions in the Azure Portal.
Private email text may be shown to the agent, and malicious email content could try to influence the agent’s next steps if treated as instructions.
The skill returns email body content into the agent context. Email content is private and may also contain untrusted instructions from external senders.
body: (if .body.contentType == "html" then (.body.content | gsub("<[^>]*>"; "") ... | .[0:2000]) else .body.content[0:2000] end)Treat email bodies as untrusted data, not instructions, and avoid asking the agent to act on email content without confirming the intended action.