ClawHub

Openclaw Skill M365 Task Manager

v0.1.2

Manage lightweight Microsoft 365 task workflows with Microsoft To Do and Planner. Use when a user needs to quickly create, assign, track, and follow up opera...

1· 505·3 current·3 all-time
byAbdelkrim from Brussels@abdelkrim
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description claim Microsoft 365 To Do/Planner task management and the code implements Microsoft Graph CRUD calls. Required env vars (M365_TENANT_ID, M365_CLIENT_ID) map directly to creating an Entra app and using device-code/OAuth; no unrelated credentials or binaries are requested.
Instruction Scope
SKILL.md instructs creating an Entra app, granting delegated Graph permissions, setting env vars, running npm install, and running the provided Node script. The runtime instructions and the script operate only on Microsoft identity endpoints and graph.microsoft.com and do not reference unrelated files or external endpoints. The script does read/write a local token cache (expected for offline_access).
Install Mechanism
There is no automated install spec in the registry metadata (instruction-only), but the README asks the user to run `npm install` in the repo root before using the script. This is reasonable for a Node-based script, but the user should inspect package.json (not included here) and the dependencies before running `npm install`.
Credentials
Only M365_TENANT_ID and M365_CLIENT_ID are required (plus an optional M365_TOKEN_CACHE_PATH). These are proportional to performing delegated Graph operations. No unrelated SECRET/TOKEN/PASSWORD environment variables are requested.
Persistence & Privilege
The skill does not request permanent platform-wide privileges (always is false). It caches OAuth tokens to a local file in the user's home directory by default — appropriate for device-code flow and offline_access scope. It does not modify other skills or global agent config.
Assessment
This skill appears to do exactly what it says: call Microsoft Graph to manage To Do tasks. Before installing or running it: 1) create a proper Entra app with only the delegated Graph scopes you intend to grant; 2) review the repository (especially package.json and dependencies) before running `npm install`; 3) be aware the script uses Device Code flow and will cache tokens locally (default: ~/.cache/openclaw/m365-task-manager-token.json) — store that file securely or set M365_TOKEN_CACHE_PATH to a safe location; 4) confirm the M365_CLIENT_ID you supply is a public client you control/trust (no client secret is used); and 5) if you need enterprise-level auditing/consent, prefer an admin-consented service/app registration or consult your tenant admin. Overall the package is internally coherent and consistent with its stated purpose.

Like a lobster shell, security has layers — review code before you run it.

latestvk973hnthhatmhsr74w3dreq0j981sqg2

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Clawdis
EnvM365_TENANT_ID, M365_CLIENT_ID
Primary envM365_TENANT_ID

Comments