MS Teams Meetings
ReviewAudited by ClawScan on May 13, 2026.
Overview
Review before installing: the Teams meeting functions match the stated purpose, but the OAuth setup helper is missing while the skill requests broad calendar/meeting write access and installs unpinned dependencies at runtime.
Use this only if you are comfortable granting calendar and Teams meeting write access to a Microsoft app registration you control. Before installing, ask the publisher to provide the missing scripts/setup.py or corrected setup instructions, and consider installing pinned dependencies yourself instead of relying on automatic runtime pip installation.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The most sensitive setup flow for Microsoft authentication is referenced but not included for review or use, creating a provenance and completeness gap.
The provided file manifest includes SKILL.md and the create/list/cancel/common scripts, but no scripts/setup.py, even though that missing helper is the documented OAuth token setup path.
Run scripts/setup.py to guide you through OAuth.
Do not run any setup helper unless it is included in the reviewed package; require the publisher to provide scripts/setup.py or update the instructions to match the shipped files.
First use may download and execute dependency code from the Python package ecosystem under the user's account.
The skill automatically installs unpinned Python dependencies at runtime if imports fail; this is disclosed in SKILL.md but is still a supply-chain behavior users should notice.
os.system("python3 -m pip install --user msal requests python-dateutil tzlocal")Prefer a reviewed install spec with pinned dependency versions, or install the dependencies yourself from trusted sources before using the skill.
A granted token can affect the user's Microsoft 365 calendar and Teams meetings until revoked or expired.
These Microsoft Graph delegated scopes allow the skill to read the user's identity and create, read, update, or delete calendar and Teams meeting data.
delegated permissions: - User.Read - Calendars.ReadWrite - OnlineMeetings.ReadWrite
Approve these permissions only for an app registration you control, and revoke the app/token if you no longer use the skill.
A mistaken invocation could cancel a real meeting, notify attendees, and optionally remove the event from the user's calendar.
The cancellation script can cancel a meeting and optionally delete the calendar event via Microsoft Graph; this is purpose-aligned but high impact if invoked on the wrong event ID.
parser.add_argument('--hard-delete', action='store_true', help='After cancel, delete the event from calendar')Confirm the event ID and attendees before using cancel or hard-delete actions, especially when the agent suggests running them.