Skillv1.5.2

ClawScan security

Outlook Mcp · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 29, 2026, 9:56 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill appears to implement what it claims (an MCP server for personal Outlook via Microsoft Graph); required permissions and runtime behavior are proportionate, with a few small documentation/behavior mismatches to be aware of.
Guidance: This package is consistent with its stated purpose (an MCP server for personal Outlook) and uses reasonable dependencies (msgraph-sdk, azure-identity). Before installing, consider: 1) You must register your own Azure AD app and perform interactive device-code auth on the host — this requires a free Azure account (identity verification may require a credit card) and grants the app delegated Graph scopes (Mail, Calendars, Contacts, Tasks). Review the requested permissions and use read_only: true until you're comfortable. 2) The installer clones and runs code from GitHub and uses 'uv sync'—inspect the repository yourself or prefer the PyPI install path if available. 3) Although the README promises 'zero local caching,' the implementation saves an AuthenticationRecord to ~/.outlook-mcp/auth_record.json (mode 0600) to enable silent refresh; tokens are stored in the OS keyring. Treat that file as sensitive. 4) The setup commands will register the server with OpenClaw (writing to ~/.openclaw/openclaw.json) — those changes are explicit but will modify client config. If you are not comfortable granting these capabilities, review the source files (they are included) or run the server in an isolated environment. Overall the skill is coherent and implements the functionality it declares.

Review Dimensions

Purpose & Capability: okName/description, code, and declared dependencies align: the package provides many Outlook Graph tools, uses msgraph-sdk and azure-identity, and requires a BYO Azure app and personal Microsoft account. No unrelated credentials or binaries are requested.
Instruction Scope: noteRuntime instructions are focused on installing the MCP server, creating ~/.outlook-mcp/config.json (client_id etc.), running local interactive auth (device-code flow), registering the MCP server with OpenClaw (~/.openclaw/openclaw.json), and restarting the gateway. These steps are expected for an MCP server, but the code also persists an AuthenticationRecord to ~/.outlook-mcp/auth_record.json (used for silent refresh). This is not a full access token, but it is sensitive state written to disk despite a 'zero local caching' claim in SKILL.md/README—an inconsistency to note. All sensitive actions are explicit and require the user to run commands on host; the skill's instructions do not attempt to read unrelated system files or environment variables.
Install Mechanism: noteInstall instructions (in SKILL.md frontmatter) clone the GitHub repo and run 'uv sync' (uv is the project's package manager). Cloning from GitHub is a common and reasonable install method for an MCP server, but it does execute arbitrary third-party code locally. The host (github.com/mpalermiti/outlook-mcp) is a normal release host; this is moderate risk but expected for an install-from-source workflow. (Registry metadata elsewhere saying 'no install spec' vs SKILL.md providing one is a documentation inconsistency.)
Credentials: okNo environment variables or unrelated credentials are requested. The skill uses a local config file (client_id, tenant_id, read_only, timezone) and OS keyring for tokens via azure-identity. The requested Microsoft Graph scopes are appropriate for the documented tools (Mail, Calendars, Contacts, Tasks, User.Read, offline_access).
Persistence & Privilege: noteThe skill is not force-included (always: false) and can be invoked by the user/agent normally. It instructs the user to register the MCP server with OpenClaw (which writes to ~/.openclaw/openclaw.json) — this is expected for integration but does modify another client’s config file (user-run command). The skill also persists an authentication record file to ~/.outlook-mcp/auth_record.json to allow silent refresh; tokens themselves are stored in the OS keyring as claimed.