ClawHub

Microsoft 365 Email & Calendar

v1.2.0

Microsoft 365 Email & Calendar CLI via Microsoft Graph API. Supports multiple accounts.

0· 71·0 current·0 all-time
byRoman Matyuschenko@droba07
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
Requires OAuth tokenRequires sensitive credentials
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description ask for node and a Microsoft client ID and the code implements Microsoft Graph calls (mail/calendar) and device-code authentication — these requirements are appropriate and expected.
Instruction Scope
SKILL.md describes device code flow and commands that map directly to the code. However the docs state "no secrets stored" which is misleading: the skill persists OAuth tokens (including refresh_token) to disk under ~/.openclaw/credentials. The skill also references running node from the skill directory as instructions indicate.
Install Mechanism
No install/downloads or external installers; the skill is instruction + local Node code with no declared external package installs. This is low risk from an install mechanism perspective.
Credentials
Only MICROSOFT_CLIENT_ID (and optionally MICROSOFT_TENANT_ID) are required, which is proportional. The code will also read ~/.openclaw/credentials/ms365.env if present and inject uppercase vars into process.env, and it writes tokens to ~/.openclaw/credentials/ms365.tokens.<account>.json — these behaviors are reasonable but mean secrets (access/refresh tokens) are stored locally and any ms365.env placed there may be loaded.
Persistence & Privilege
always is false and the skill does not modify other skills or system settings. It persists its own tokens/config under ~/.openclaw/credentials, which is expected for multi-account CLI behavior.
Assessment
This skill appears to do what it says: it uses the OAuth device-code flow and Microsoft Graph to read/send mail and manage calendars. Before installing: (1) create and use a dedicated Azure app (MICROSOFT_CLIENT_ID) rather than your organization's sensitive app id; (2) be aware the skill saves OAuth tokens (including refresh_token) to ~/.openclaw/credentials with 0600 file permissions — treat those files as sensitive and delete or rotate tokens if you remove the skill; (3) the code will load ~/.openclaw/credentials/ms365.env if present, so don't place unrelated secrets there; (4) inspect the included files yourself (they're small and readable) or run the skill in a sandbox if you have concerns; (5) note the SKILL.md wording that "no secrets stored" is inaccurate — it means no client secret is required, but tokens are stored locally.
index.js:20
Environment variable access combined with network send.
Confirmed safe by external scanners
Static analysis detected API credential-access patterns, but both VirusTotal and OpenClaw confirmed this skill is safe. These patterns are common in legitimate API integration skills.

Like a lobster shell, security has layers — review code before you run it.

latestvk974c378ae9embgkfbea9he1gd84zn2v

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🟦 Clawdis
Binsnode
EnvMICROSOFT_CLIENT_ID

Comments