Mog
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: mogcli Version: 0.3.1 The OpenClaw AgentSkills skill bundle 'mogcli' appears benign. The code and documentation consistently describe a legitimate CLI tool for Microsoft 365, with all network communications directed to official Microsoft Graph and OAuth endpoints. File system operations are confined to user-specified paths for uploads/downloads and standard configuration files in `~/.config/mog/` with appropriate permissions. While the requested Azure AD permissions are broad (e.g., `Files.ReadWrite.All`), they align with the comprehensive functionality advertised by the tool. No evidence of intentional harmful behavior, obfuscation, or prompt injection attempts against the AI agent to perform unauthorized actions was found in any of the analyzed files, including `SKILL.md` and `internal/cli/ai_help.go`.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If authenticated, the skill can enable an agent or user command to access and modify large portions of your Microsoft 365 account, including mail, files, calendars, contacts, tasks, and notes.
These permissions give the CLI persistent delegated authority to read, write, send, and modify data across much of a Microsoft 365 account. That is aligned with the broad CLI purpose, but it is high-impact and not reflected in the registry credential/capability metadata.
Add these **Delegated** permissions: ... `offline_access` ... `Mail.ReadWrite` ... `Mail.Send` ... `Calendars.ReadWrite` ... `Files.ReadWrite.All` ... `Contacts.ReadWrite` ... `Tasks.ReadWrite` ... `Notes.ReadWrite`
Use the smallest set of Microsoft Graph scopes needed for your tasks, consider a dedicated Azure app/account, review each mutating action before execution, and revoke the app’s permissions when no longer needed.
A mistaken or overly broad agent instruction could send email, delete files or tasks, clear spreadsheet ranges, or change business data.
The skill exposes many mutating and destructive operations. They are disclosed and purpose-aligned for an operations CLI, but they require careful user approval in an agent environment.
| **drive** | ls, search, download, upload, mkdir, move, rename, copy, rm | ... | **tasks** | lists, list, add, done, undo, delete, clear | ... | **excel** | list, get, update, append, create, metadata, tables, add-sheet, clear, copy, export |
Only allow the agent to run specific commands you intended, especially for send, delete, clear, update, upload, and copy operations.
Users may believe OAuth tokens have stronger local protection than the provided artifacts demonstrate, increasing risk if the device or config directory is exposed.
This is a strong credential-safety claim. Other visible artifacts show token storage defaults to `file` and keychain storage is optional, so users should verify how tokens are actually protected rather than relying on this wording.
`tokens.json` - OAuth tokens (encrypted at rest by OS)
Prefer `--storage keychain` where available, protect `~/.config/mog/`, and treat `tokens.json` as highly sensitive unless encryption is independently verified.
Installing `@latest` may fetch a newer version than the reviewed artifact.
The documented install path pulls the latest version from an external GitHub module rather than a pinned version. This is normal Go CLI documentation, but users should verify source and version.
go install github.com/visionik/mogcli/cmd/mog@latest
Install a pinned, reviewed version where possible and verify the repository/release before use.
A stale or altered slug cache could cause commands to refer to the wrong Microsoft 365 object, and the cache may reveal information about previously accessed resources.
The CLI persists a mapping from short slugs to Microsoft resource IDs. This is disclosed and useful, but it creates local state reused by future commands.
Slugs cached in `~/.config/mog/slugs.json`
Use verbose/full IDs for sensitive operations when in doubt and clear the cache with logout or manual cleanup if the device is shared.