Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Microsoft 365 MCP Server
v1.0.0Integrate Microsoft 365 to manage Outlook email, calendar events, OneDrive files, Tasks, Teams chats, and user profiles via Microsoft Graph and MCP protocol.
⭐ 4· 2.9k·12 current·14 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The name, README, SKILL.md and src/index.ts all implement a Microsoft 365 MCP server (Graph API calls for mail, calendar, OneDrive, Teams, users). That is internally consistent with the stated purpose. However the registry metadata lists no required environment variables or primary credential while both SKILL.md and src/index.ts clearly require TENANT_ID, CLIENT_ID, CLIENT_SECRET (and optionally DEFAULT_USER). The metadata omission is an incoherence that hides the need for sensitive credentials.
Instruction Scope
SKILL.md gives precise setup steps (create Azure Entra app, grant admin consent for many Application permissions, store client secret in env, add mcporter config). The instructions do not attempt to read arbitrary local files or call unexpected endpoints — the code only calls Microsoft identity and Graph endpoints. But the instructions explicitly require admin consent and a wide set of application permissions, which is scope-expanding and high-risk for tenant-wide access. Also the runtime instructions reference environment variables that the registry metadata did not declare.
Install Mechanism
No remote download/extract install spec. This is an instruction/code bundle using standard npm dependencies (@modelcontextprotocol/sdk and dotenv). There are no URLs to arbitrary servers or obfuscated installers in the repo. Building and running is via tsc/npm which is normal.
Credentials
The skill requires tenant-level Graph application credentials (client id/secret/tenant) and SKILL.md asks for admin consent to Application permissions including Mail.ReadWrite, Files.ReadWrite.All, Chat.ReadWrite.All, User.Read.All, etc. These permissions permit read/write access across the entire tenant (emails, files, Teams chats, send-as capabilities). The number and scope of secrets is appropriate for the implemented functionality, but the privileges requested are broad and powerful — greater than a per-user least-privilege integration. Additionally, the package registry metadata did not declare these env vars/credentials, reducing transparency.
Persistence & Privilege
always is false (good), and disable-model-invocation is false (default). However because the skill operates with tenant-level credentials (admin-consented application permissions), allowing the agent to invoke this skill autonomously increases the blast radius — the agent could perform organization-wide actions (read mail/files, send mail, access chats) without further user interaction. This combination (autonomous invocation + tenant-wide creds) is high risk even though autonomy by itself is normal.
What to consider before installing
This skill implements a full Microsoft 365 integration and needs tenant-level Azure app credentials (TENANT_ID, CLIENT_ID, CLIENT_SECRET) and admin-consented application permissions. Before installing: 1) Don’t trust the registry metadata alone — it fails to list the required secrets; verify SKILL.md and code. 2) Only install if you trust the author and you understand the privileges you will grant — the requested permissions give tenant-wide read/write access to mail, files, Teams, and users. 3) Prefer creating a dedicated least-privilege Azure app (grant only the exact permissions you need), use a test or limited tenant, and avoid granting Mail.Send or Files.ReadWrite.All unless absolutely necessary. 4) Rotate and store the client secret securely; do not reuse high-priv creds. 5) If you must run in production, consider restricting the app (permission scoping, conditional access) and review the source code yourself (it only calls Microsoft identity and graph endpoints). 6) Be aware that the agent may invoke the skill autonomously; combine that with strong controls and monitoring (audit logs, limited service account) to reduce risk.Like a lobster shell, security has layers — review code before you run it.
calendarvk97b8m7wcswym7jyfkrstv1ffs7zz7hgemailvk97b8m7wcswym7jyfkrstv1ffs7zz7hglatestvk97b8m7wcswym7jyfkrstv1ffs7zz7hglatest microsoft365vk97b8m7wcswym7jyfkrstv1ffs7zz7hgmcpvk97b8m7wcswym7jyfkrstv1ffs7zz7hgonedrivevk97b8m7wcswym7jyfkrstv1ffs7zz7hgoutlookvk97b8m7wcswym7jyfkrstv1ffs7zz7hgteamsvk97b8m7wcswym7jyfkrstv1ffs7zz7hg
License
MIT-0
Free to use, modify, and redistribute. No attribution required.