M365 Mailbox (Graph)

ReviewAudited by ClawScan on May 10, 2026.

Overview

The skill mostly matches its Microsoft 365 mailbox purpose, but draft creation does not enforce the confirmation policy the setup claims to apply to write actions.

Install only if you are comfortable granting Microsoft Graph mailbox access. Use minimal scopes, avoid broad/offline consent unless needed, protect the local token cache, and be aware that enabling draft permissions may allow the agent to create drafts without the confirmation safeguard the setup text suggests.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Medium

#ASI02: Tool Misuse and Exploitation

What this means

If draft access is enabled, an agent could create email drafts in the mailbox without the confirmation behavior the setup policy implies.

Why it was flagged

The script creates a mailbox draft after only checking that the draft action is allowed; it does not call needsConfirm, even though setup.mjs defaults draft actions into requireConfirm. This undercuts the documented confirmation boundary for a write-like mailbox action.

Skill content

assertAllowed(profile, 'draft'); ... const created = await graphFetch(url, { method: 'POST', token, headers: { 'Content-Type': 'application/json' }, body: JSON.stringify(payload), });

Recommendation

Enforce needsConfirm for draft creation, or clearly document that allowing drafts permits autonomous draft creation. Users should leave draft/send disabled unless they explicitly want the agent to modify mailbox contents.

Medium

#ASI03: Identity and Privilege Abuse

What this means

Granting broad scopes or offline access gives the local profile powerful ongoing access to your mailbox.

Why it was flagged

The skill legitimately needs delegated Microsoft mailbox permissions and local token storage, but those permissions can read, write, and send email depending on what the user grants.

Skill content

Auth is done via **your own Microsoft login** (device code flow). Tokens are stored **locally per profile** ... Delegated Microsoft Graph permissions ... `Mail.Read`, `Mail.ReadWrite`, `Mail.Send`, (optional) `offline_access`

Recommendation

Use minimal-consent mode, grant only the scopes you need, avoid offline_access unless necessary, and protect or remove the token cache at ~/.openclaw/secrets/m365-mailbox when no longer needed.

Low

#ASI04: Agentic Supply Chain Vulnerabilities

What this means

Installing the skill requires trusting the npm dependency chain used for Microsoft authentication.

Why it was flagged

The skill has no registry install spec but asks the user to install npm dependencies locally. The included package-lock provides resolved packages and integrity hashes, and the dependency is purpose-aligned, but it is still external package installation.

Skill content

After installing/updating the skill, install deps:

```bash
cd skills/m365-mailbox
npm install
```

Recommendation

Install only from the expected skill directory, prefer npm ci when possible, review package-lock.json, and keep Node/npm updated.