Skillv1.0.2

ClawScan security

Microsoft 365 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignFeb 19, 2026, 10:58 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's files, instructions, and required environment variables are consistent with a local Microsoft Graph integration using the Device Code Flow; it stores tokens locally and does not call non-Microsoft endpoints.
Guidance: This skill appears to do what it claims: a local Microsoft Graph client using Device Code Flow. Before installing, consider the following: (1) Tokens and refresh tokens are stored locally under ~/.openclaw/credentials/ms365.tokens.<account>.json — treat those files as sensitive and don't share them. (2) The skill will load an optional ~/.openclaw/credentials/ms365.env and will respect OPENCLAW_HOME if set — verify that file's contents before use. (3) When you register the Azure app, limit OAuth scopes to the minimum needed (the bundled scopes are broad and allow file and mail write access). (4) There's a small documentation mismatch (README reference to tokens.json) — if you rely on repository-local token storage, be aware the code writes to ~/.openclaw instead. (5) Review the included source if you need assurance; network calls go to Microsoft endpoints only. If you want stricter guarantees, create a dedicated Azure app with minimal scopes and test in a low-privilege account first.

Review Dimensions

Purpose & Capability: okName/description (Outlook, Calendar, Contacts, OneDrive via Microsoft Graph) match the code and required env vars (MICROSOFT_CLIENT_ID, MICROSOFT_TENANT_ID). The skill needs Node and makes Graph API calls for the listed features; requested binaries/envs are appropriate.
Instruction Scope: noteRuntime instructions are limited to running node index.js, registering an Azure app, and following the device-code flow. The skill loads an optional ~/.openclaw/credentials/ms365.env and stores tokens under ~/.openclaw/credentials/ms365.tokens.<account>.json — this is within scope for a local Graph client but is an important behavior to be aware of. Minor inconsistency: README mentions tokens.json in the repo while the code uses ~/.openclaw/credentials for token storage.
Install Mechanism: okNo install/download spec; code is included and runs under Node. package.json has no external dependencies and there are no remote installers or fetched archives, so install risk is low.
Credentials: noteDeclared env vars (MICROSOFT_CLIENT_ID, MICROSOFT_TENANT_ID) are appropriate. The code also accepts optional client secret envs (MICROSOFT_CLIENT_SECRET or account-prefixed variants) and reads OPENCLAW_HOME if present to locate credentials — OPENCLAW_HOME is not declared in metadata but its use is benign. The OAuth scopes requested are broad (Files.ReadWrite.All, Mail.Send, Calendars.ReadWrite, Contacts.ReadWrite), which matches functionality but means the app has wide access; consider limiting scopes when registering the app.
Persistence & Privilege: okThe skill persists tokens to a user-scoped directory (~/.openclaw/credentials) and does not request always:true or modify other skills. Autonomous invocation is allowed by platform default (disable-model-invocation=false) but this is normal and not excessive here.