M365 Calendar (Graph)

Type: OpenClaw Skill Name: m365-calendar Version: 0.1.9 The skill bundle is classified as suspicious due to a potential Local File Inclusion (LFI) vulnerability in `scripts/import-raw-token.mjs`. This script directly reads the content of a file specified by the `--file` argument (`fs.readFileSync(file, 'utf8')`) without path sanitization. While this script is a utility and not part of the primary operational workflow described in `SKILL.md` for the AI agent, the vulnerability exists within the bundle and could be exploited if an attacker could prompt the agent to use this script with an arbitrary file path. All other scripts and the `SKILL.md` appear to align with the stated purpose of M365 calendar automation, using standard authentication practices and appropriate permissions.