Openclaw Msteams 2026.5.12 Beta.6.Tgz

Package: @openclaw/msteams (npm) Version: 2026.5.7 Description: OpenClaw Microsoft Teams channel plugin The package is an OpenClaw plugin providing integration with Microsoft Teams via the Bot Framework and Microsoft Graph API. It handles configuration, secret management (App ID, App Password, Tenant ID, delegated tokens), access control policies, and rich messaging features (media, polls, Adaptive Cards, thread management, reactions). The code exhibits strong security practices characteristic of high-assurance application components: 1. **SSRF Protection:** All external URL fetches (media downloads, OAuth token exchange, Graph API calls, file consent uploads) are protected using `fetchWithSsrFGuard` and custom hostname/IP validation logic (`isUrlAllowed`, `isPrivateOrReservedIP`) to prevent Server-Side Request Forgery. 2. **Authentication and Validation:** Inbound activities from Teams are rigorously validated using JWT verification based on `jsonwebtoken` and `jwks-rsa` against trusted Microsoft issuers, ensuring message authenticity. 3. **Secure Credential Handling:** Credentials and delegated OAuth tokens are managed securely, read from OpenClaw secrets/environment, and persisted only as necessary to state directories using file locks. 4. **Access Control:** Detailed policies (`dmPolicy`, `groupPolicy`, team/channel allowlists) are enforced on all inbound activity types (messages, reactions, adaptive card invokes) to restrict unauthorized agent interaction.