Microsoft To Do
PassAudited by ClawScan on May 1, 2026.
Overview
The skill is coherent for Microsoft To Do, but it uses delegated Microsoft Graph access that can read and modify tasks and stores OAuth tokens locally.
This looks like a normal Microsoft To Do integration. Before installing, make sure you trust the included helper, understand that it can read and modify your To Do tasks, and keep the generated token.json file private or revoke access when no longer needed.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If authorized, the skill can read and change Microsoft To Do tasks for the signed-in account, and refresh access may continue until revoked.
The skill requests delegated Microsoft Graph task permissions and optional refresh-token capability, which is expected for To Do integration but grants ongoing access to the signed-in user's task data.
Required delegated permissions: - `Tasks.Read` - `Tasks.ReadWrite` - optional `offline_access`
Use the least-privileged app registration possible, protect the local token file, and revoke the app/token in Microsoft account settings if you stop using the skill.
Incorrect use could create, alter, complete, or delete tasks in the user's Microsoft To Do account.
The documented operations include account-data mutation, including deletion, but this is disclosed and aligned with the Microsoft To Do management purpose.
Use this skill when the user wants to: - list Microsoft To Do task lists - read tasks from a list - create, update, complete, or delete tasks
Review task-changing actions before authorizing them, especially delete or bulk-update requests.