Office 365 Connector
Security checks across malware telemetry and agentic risk
Overview
This connector mostly matches its Office 365 purpose, but it can expose powerful Microsoft account tokens and has unsafe account-name file-path handling that should be reviewed before use.
Use this only if you are comfortable granting broad Microsoft 365 email, calendar, and contact access. Do not run the token-printing command unless you understand the risk, avoid putting client secrets in shared terminals or chats, use simple account names such as work or personal, and revoke the Microsoft app consent if anything looks wrong.
VirusTotal
64/64 vendors flagged this skill as clean.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the agent runs this command or the output is copied into logs or chat, anyone who sees the token may be able to use the granted Microsoft Graph permissions until the token expires.
The CLI can print a raw Microsoft Graph bearer access token to stdout instead of keeping it internal to scoped email/calendar/contact operations.
else if (command === 'token') { getAccessToken(accountName).then(token => { console.log(token);Disable or remove the token-printing command, mask tokens in output, and require explicit user approval before any workflow exposes credentials.
A crafted account name could cause token writes or removals outside ~/.openclaw/auth/office365, risking local JSON file overwrite or deletion.
Account names are user-controlled and are used directly in filesystem paths; the code also writes and deletes these token paths, so path separators in an account name could escape the intended directory.
function getAccountTokenPath(accountName) { return path.join(ACCOUNTS_DIR, `${accountName}.json`); }Restrict account names to a safe pattern such as letters, numbers, dashes, and underscores; reject path separators and verify resolved paths remain inside the intended token directory before reading, writing, or deleting.
This is largely expected for a full Office 365 connector, but it means the skill can read and modify sensitive Microsoft 365 data and send email as the user.
The skill requests broad delegated Microsoft Graph permissions, including email send, mailbox/calendar/contact write access, and persistent refresh-token access.
const SCOPES = [ 'User.Read', 'Mail.Read', 'Mail.ReadWrite', 'Mail.Send', 'Calendars.Read', 'Calendars.ReadWrite', 'Contacts.Read', 'Contacts.ReadWrite', 'offline_access' ].join(' ');Only consent if you need the full connector; consider a least-privilege app registration with only the scopes you actually use, and revoke tokens if you stop using the skill.
Client secrets typed into commands may remain in shell history, process listings, terminal logs, or agent transcripts if not handled carefully.
The setup flow has users pass an Azure client secret as a command-line argument, which is then stored for account configuration.
node accounts.js add <name> <tenant-id> <client-id> <client-secret> [email] [description]
Avoid pasting secrets into chat or shared terminals; prefer secure prompts, environment injection, or a credential store, and rotate any secret that may have been exposed.
Users relying only on registry metadata may underestimate the account access and local credential storage involved.
The registry metadata does not surface the OAuth credentials, Microsoft Graph authority, or local auth files that the documentation and code require.
Required env vars: none; Primary credential: none; Required config paths: none; Capability signals: No capability tags were derived.
Review the SKILL.md, permission reference, and source files before installing; the publisher should declare credential/config requirements and capability tags in metadata.