ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

M365 Mailbox (Graph)

v0.1.1

Automate Microsoft 365 mailbox tasks via Microsoft Graph: read, search, draft, send emails for Business and Consumer accounts with device code authentication.

1· 984· 2 versions· 8 current· 8 all-time· Updated 12h ago· MIT-0
byThomas J. Radman@tradmangh

Security Scans

VirusTotalBenignClawScanBenignStatic analysisSuspicious

Install

openclaw skills install m365-mailbox

M365 Mailbox (Microsoft Graph)

Installation / runtime requirements

  • Requires Node.js (scripts are Node ESM).
  • This skill declares its npm dependency in package.json.
  • After installing/updating the skill, install deps:
cd skills/m365-mailbox
npm install

Security / boundaries

  • Never commit or share token caches.
  • Default secret location (per machine): ~/.openclaw/secrets/m365-mailbox/

Setup philosophy (permission-aware)

During setup, the user chooses:

  1. What Graph permissions to request (minimal vs broad)
  2. What OpenClaw is allowed to do autonomously vs what must ask for confirmation

Two modes:

  • Minimal-consent mode (more secure): request only the scopes required for the chosen feature set.
  • Broad-consent mode (more flexible): request a superset of scopes, but enforce an autonomy policy locally.

Quick start

0) First question: connect M365 Business or M365 Home/Consumer?

  • Home/Consumer = hotmail.com, outlook.com, live.com
  • Business = Work/School account (Exchange Online)

1) Privacy / keys

  • No third-party API key required.
  • Auth is done via your own Microsoft login (device code flow).
  • Tokens are stored locally per profile on the OpenClaw machine.

2) One-command setup (interactive)

node skills/m365-mailbox/scripts/setup.mjs --profile home --tenant consumers --email you@outlook.com --clientId <YOUR_APP_CLIENT_ID> --tz Europe/Vienna
node skills/m365-mailbox/scripts/setup.mjs --profile business --tenant organizations --email you@company.com --clientId <IT_PROVIDED_CLIENT_ID> --tz Europe/Vienna

3) Use (examples)

node skills/m365-mailbox/scripts/list-unread.mjs --profile home --top 20
node skills/m365-mailbox/scripts/search.mjs --profile home --query "invoice" --top 20
node skills/m365-mailbox/scripts/get-message.mjs --profile home --id <MSG_ID>
node skills/m365-mailbox/scripts/create-draft.mjs --profile home --to you@example.com --subject "Hi" --body "..."
node skills/m365-mailbox/scripts/send-draft.mjs --profile home --id <DRAFT_ID>

Business note (users without IT admin rights)

Many tenants block:

  • creating app registrations as a normal user
  • user consent to new apps
  • Mail.Send or Mail.ReadWrite without admin consent

In that case this skill can still work for Business accounts, but only if your IT/SysAdmin provides a clientId for an app registration configured with:

  • Delegated Microsoft Graph permissions (depending on your chosen feature set): Mail.Read, Mail.ReadWrite, Mail.Send, (optional) offline_access
  • Public client flows enabled (Device Code)
  • (Often required) Admin consent granted

If you don’t get such a clientId/consent from IT, you can still use the skill with a Consumer account.

Version tags

latestvk977s0d7b7jjp2h8gn4hfpcjd181chbx