M365 Calendar (Graph)

The skill's code, instructions, and requirements are internally consistent with a Microsoft 365 calendar integration: it uses MSAL device-code flow, talks to Microsoft Graph, and stores tokens locally — nothing obvious is requesting unrelated credentials or exfiltrating data.

This skill appears to do what it says: it runs local Node scripts that authenticate with Microsoft (device code) and call Microsoft Graph. Before installing, consider: 1) Review the included scripts yourself (they are present and readable). 2) You must create or obtain an Azure app clientId; for business tenants you may need IT/admin consent. 3) Tokens and clientId are stored under ~/.openclaw/secrets/m365-calendar — protect that directory and do not commit it to git. 4) By default the setup avoids offline_access; only enable --offline if you understand that refresh tokens may be written to disk. 5) The import-raw-token tool will accept arbitrary token JSON — only import tokens from trusted sources. 6) npm install will fetch @azure/msal-node from the public registry; if you have supply-chain concerns, audit that dependency. If any of the above is unacceptable (unknown owner, untrusted environment), run the skill in an isolated machine or avoid installing it.