ClawHub

M365 Spam Manager

v0.1.2

Manages Microsoft 365 junk mail by analyzing spam patterns, scoring suspicious emails, and assisting with review or automatic cleanup of Outlook/Exchange spa...

0· 609·2 current·2 all-time
byThomas J. Radman@tradmangh

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for tradmangh/m365-spam-manager.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "M365 Spam Manager" (tradmangh/m365-spam-manager) from ClawHub.
Skill page: https://clawhub.ai/tradmangh/m365-spam-manager
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install m365-spam-manager

ClawHub CLI

Package manager switcher

npx clawhub@latest install m365-spam-manager
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description (M365 spam manager) align with the code: scripts use Microsoft Graph to read and label/move mail, create categories, and compute spam scores. The dependency (@azure/msal-node) is expected. However the skill depends on an external profile/token cache created by a separate 'm365-mailbox' setup (profile files under ~/.openclaw/secrets/m365-mailbox). The skill's registry metadata declared no config paths / credentials, which is inconsistent with the code that requires those profile and token cache files.
!
Instruction Scope
SKILL.md instructs running npm install and using an m365-mailbox profile; the runtime scripts read and (in MSAL's afterCacheAccess) may write the token cache file under the user's home (~/.openclaw/secrets/m365-mailbox). Scripts also create mailbox categories and folders and call Graph endpoints. There are no other external endpoints or obfuscated network calls. The concern is the instructions/code assume and access local secrets/config files that are not declared in metadata and that the README does not fully surface (token caches, exact path, required Node version).
Install Mechanism
There is no registry install spec; SKILL.md asks the user to run npm install in the skill folder. Dependencies come from npm (package-lock.json lists @azure/msal-node and other normal libs) — this is standard. Note: msal's package metadata indicates newer Node engine requirements (msal-node lists node >=20), while SKILL.md just says 'Node.js + npm', which could cause runtime issues if node version is older.
!
Credentials
The skill requests no environment variables in registry metadata, but the code requires access to profile configuration and token cache files in ~/.openclaw/secrets/m365-mailbox (reads cfg to get clientId and tenant, reads and may overwrite token cache). Those files contain sensitive authentication data / tokens. It's reasonable for a Graph mailbox tool to need mailbox tokens, but the metadata should declare these config-path requirements. The skill also requires Mail.Read or Mail.ReadWrite Graph scopes depending on the script — that matches functionality but should be highlighted to users.
Persistence & Privilege
The skill is not always: true and does not request system-wide persistent privilege. It can write to its own token cache file via MSAL (typical) and it will create categories/folders in the mailbox (expected). It does not modify other skills or system config. Autonomous invocation is allowed (default), which increases blast radius but is normal for skills; combine with other flags before granting broad trust.
What to consider before installing
This skill appears to implement what it claims (reading junk mail, scoring, labeling/moving messages via Microsoft Graph) but has a few inconsistencies you should handle before installing: - The skill expects an m365-mailbox profile and token cache under ~/.openclaw/secrets/m365-mailbox (clientId/tenant and token cache). The skill metadata does not declare these config paths — verify those files exist and inspect them before use. - The scripts will read and may write the token cache file. Make a backup of your token cache/profile before running and ensure you trust the author. - Confirm the Graph permissions requested (Mail.Read, Mail.ReadWrite) are appropriate for your use case. Prefer running in review/dry-run mode first (the code supports dry runs) before enabling any automatic 'move' operations. - The code pulls dependencies from npm. Ensure you run npm install in a controlled environment and run with a Node version compatible with @azure/msal-node (msal may require Node >=20). - Review the included scripts yourself (they are unobfuscated) or run them in a test account. There are no hidden network endpoints besides graph.microsoft.com and npm registries, but the registry source is unknown — prefer obtaining this skill from a trusted source or verifying the full code prior to use. If you need higher assurance, request the skill publisher's homepage or source repository, or ask for metadata updates that declare the required config paths and Node engine constraints. If you cannot inspect or verify the token/profile files, treat the skill as untrusted for production mailboxes.

Like a lobster shell, security has layers — review code before you run it.

latestvk975n5fqjdzyx6z74bn355k70981fx4t
609downloads
0stars
2versions
Updated 2mo ago
v0.1.2
MIT-0
Thomas J. Radman@tradmangh
latest
Download

M365 Spam Manager (Microsoft Graph)

Installation

Requires Node.js + npm install in the skill folder:

cd skills/m365-spam-manager
npm install

Setup

Uses the same profile/credentials as m365-mailbox. Ensure you have a profile configured:

node skills/m365-mailbox/scripts/setup.mjs --profile tom-business ...

Usage

Review mode (default) — user must approve each action

# Analyze junk folder and show suspicious scores (review mode - default)
node skills/m365-spam-manager/scripts/analyze.mjs --profile tom-business-mail --mailbox radman@e-ola.com

# Move a false positive to inbox (requires confirmation)
node skills/m365-spam-manager/scripts/move-to-inbox.mjs --profile tom-business-mail --mailbox radman@e-ola.com --id <MSG_ID>

# Move confirmed spam to learning folder
node skills/m365-spam-manager/scripts/move-to-learning.mjs --profile tom-business-mail --mailbox radman@e-ola.com --id <MSG_ID>

Automatic mode (no confirmation)

# Auto-clean: move high-confidence spam to learning, medium to review
node skills/m365-spam-manager/scripts/auto-clean.mjs --profile tom-business-mail --mailbox radman@e-ola.com --threshold 80

Suspicious Score Calculation

The analyzer calculates a score (0-100) based on:

PatternPointsDescription
No unsubscribe link+20Legitimate marketing must have one
Suspicious sender domain+15Free email, misspellings, random strings
All caps subject+10Spam often shouts
Excessive punctuation+10!!!, ???, $$$
Suspicious keywords+15crypto, win, free, urgent, verify, bank, password, ...
Mismatched language+10Subject in DE, body EN or vice versa
Known scam patterns+25"Attention - suspected SPAM", fake invoices
Free email provider+10gmail, yahoo, hotmail in From (not Reply-To)
No DKIM/SPF indication+5Graph doesn't show auth results

Score thresholds

  • 0-30: Low suspicion — likely legitimate
  • 31-70: Medium — review recommended
  • 71-100: High — almost certainly spam

Policy

This skill respects the same policy as m365-mailbox:

  • read: autonomous (analyze, list)
  • move: controlled (move to inbox/learning folder)

In review mode, the script always prompts for confirmation before moving emails.

Comments

Loading comments...