← Back to Skills Marketplace
tradmangh

M365 Mailbox (Graph)

by Thomas J. Radman · GitHub ↗ · v0.1.1
cross-platform ✓ Security Clean
976
Downloads
1
Stars
8
Active Installs
2
Versions
Install in OpenClaw
/install m365-mailbox
Description
Automate Microsoft 365 mailbox tasks via Microsoft Graph: read, search, draft, send emails for Business and Consumer accounts with device code authentication.
README (SKILL.md)

M365 Mailbox (Microsoft Graph)

Installation / runtime requirements

  • Requires Node.js (scripts are Node ESM).
  • This skill declares its npm dependency in package.json.
  • After installing/updating the skill, install deps:
cd skills/m365-mailbox
npm install

Security / boundaries

  • Never commit or share token caches.
  • Default secret location (per machine): ~/.openclaw/secrets/m365-mailbox/

Setup philosophy (permission-aware)

During setup, the user chooses:

  1. What Graph permissions to request (minimal vs broad)
  2. What OpenClaw is allowed to do autonomously vs what must ask for confirmation

Two modes:

  • Minimal-consent mode (more secure): request only the scopes required for the chosen feature set.
  • Broad-consent mode (more flexible): request a superset of scopes, but enforce an autonomy policy locally.

Quick start

0) First question: connect M365 Business or M365 Home/Consumer?

  • Home/Consumer = hotmail.com, outlook.com, live.com
  • Business = Work/School account (Exchange Online)

1) Privacy / keys

  • No third-party API key required.
  • Auth is done via your own Microsoft login (device code flow).
  • Tokens are stored locally per profile on the OpenClaw machine.

2) One-command setup (interactive)

node skills/m365-mailbox/scripts/setup.mjs --profile home --tenant consumers --email [email protected] --clientId \x3CYOUR_APP_CLIENT_ID> --tz Europe/Vienna
node skills/m365-mailbox/scripts/setup.mjs --profile business --tenant organizations --email [email protected] --clientId \x3CIT_PROVIDED_CLIENT_ID> --tz Europe/Vienna

3) Use (examples)

node skills/m365-mailbox/scripts/list-unread.mjs --profile home --top 20
node skills/m365-mailbox/scripts/search.mjs --profile home --query "invoice" --top 20
node skills/m365-mailbox/scripts/get-message.mjs --profile home --id \x3CMSG_ID>
node skills/m365-mailbox/scripts/create-draft.mjs --profile home --to [email protected] --subject "Hi" --body "..."
node skills/m365-mailbox/scripts/send-draft.mjs --profile home --id \x3CDRAFT_ID>

Business note (users without IT admin rights)

Many tenants block:

  • creating app registrations as a normal user
  • user consent to new apps
  • Mail.Send or Mail.ReadWrite without admin consent

In that case this skill can still work for Business accounts, but only if your IT/SysAdmin provides a clientId for an app registration configured with:

  • Delegated Microsoft Graph permissions (depending on your chosen feature set): Mail.Read, Mail.ReadWrite, Mail.Send, (optional) offline_access
  • Public client flows enabled (Device Code)
  • (Often required) Admin consent granted

If you don’t get such a clientId/consent from IT, you can still use the skill with a Consumer account.

Usage Guidance
This skill appears to do what it says: it uses Microsoft device-code OAuth and Microsoft Graph calls and stores tokens locally. Before installing: 1) Ensure you run it on a machine with a compatible Node version (msal-node requires Node >=20). 2) Provide a legitimate clientId (for business accounts you may need an IT-provided app with admin consent). 3) Review and protect the token/cache directory (~/.openclaw/secrets/m365-mailbox); do not commit or share it. 4) Prefer minimal-consent mode and keep 'send' behind confirmation unless you explicitly trust autonomous sending. 5) Because npm dependencies are pulled at install time, only install if you trust the skill source or are prepared to audit the included package-lock.json and code (all source files are included in the bundle).
Capability Analysis
Type: OpenClaw Skill Name: m365-mailbox Version: 0.1.1 The OpenClaw AgentSkills skill bundle for M365 Mailbox is classified as benign. It provides legitimate Microsoft Graph API automation for email management, using the official `@azure/msal-node` library for authentication. Key security features include local storage of authentication tokens in a designated OpenClaw secrets directory (`~/.openclaw/secrets/m365-mailbox/`), explicit user consent for Graph API permissions during setup (`scripts/setup.mjs`), and a robust policy enforcement mechanism (`scripts/_policy.mjs`) that allows users to define allowed actions (read, draft, send) and require confirmation for sensitive operations like sending emails. Input sanitization is applied where necessary (e.g., `encodeURIComponent` for URL parameters), and all network communication is directed to the legitimate `graph.microsoft.com` endpoint. There is no evidence of data exfiltration to unauthorized destinations, arbitrary code execution, persistence mechanisms, or prompt injection attempts in `SKILL.md`.
Capability Assessment
Purpose & Capability
Name/description match the included scripts: the files implement Microsoft Graph mailbox operations (list, search, read, draft, send) and use MSAL device-code flow. Declared dependencies (@azure/msal-node) and setup requiring a clientId are appropriate for this purpose.
Instruction Scope
Runtime instructions direct the agent to run the provided Node ESM scripts and to store per-profile config/token cache under ~/.openclaw/secrets/m365-mailbox; scripts only access those files and Microsoft endpoints (login.microsoftonline.com and graph.microsoft.com). Note: msal-node in package-lock requires Node >=20 and the code uses global fetch (Node 18+ has experimental fetch, Node 20 stable) — SKILL.md states 'Node.js' but does not specify a minimum version; ensure your Node version matches the dependency requirements.
Install Mechanism
There is no remote download/install step in the skill bundle; dependencies are standard npm packages (resolved via npm registry). The SKILL.md asks the user to run npm install in the skill folder — expected for this kind of Node-based skill. Risk is typical for pulling npm deps: review/lock dependencies if you require stricter controls.
Credentials
The skill requests no environment variables or unrelated credentials. It requires a user-supplied Microsoft App clientId and tenant (expected for delegated OAuth device-code flow). Tokens and profile config are persisted locally; this is proportional but sensitive — anyone with filesystem access to the token cache can use those tokens until revoked/expired.
Persistence & Privilege
always:false and user-invocable:true (default) — no forced global inclusion. The skill stores its own files in ~/.openclaw/secrets/m365-mailbox (its own namespace) and does not modify other skills or system-wide configs. It implements a local policy to require confirmation for write/send operations by default, which limits autonomous outbound writes.
How to Use
  1. Make sure OpenClaw is installed (local or Docker)
  2. Run the install command in chat: /install m365-mailbox
  3. After installation, invoke the skill by name or use /m365-mailbox
  4. Provide required inputs per the skill's parameter spec and get structured output
Version History
v0.1.1
Add --mailbox flag to access shared mailboxes (e.g. [email protected]).
v0.1.0
Initial release: permission-aware setup (minimal vs broad consent + local autonomy policy), list/search/read mail, create drafts, send drafts (policy-gated).
Metadata
Slug m365-mailbox
Version 0.1.1
License
All-time Installs 8
Active Installs 8
Total Versions 2
Frequently Asked Questions

What is M365 Mailbox (Graph)?

Automate Microsoft 365 mailbox tasks via Microsoft Graph: read, search, draft, send emails for Business and Consumer accounts with device code authentication. It is an AI Agent Skill for Claude Code / OpenClaw, with 976 downloads so far.

How do I install M365 Mailbox (Graph)?

Run "/install m365-mailbox" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is M365 Mailbox (Graph) free?

Yes, M365 Mailbox (Graph) is completely free (open-source). You can download, install and use it at no cost.

Which platforms does M365 Mailbox (Graph) support?

M365 Mailbox (Graph) is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created M365 Mailbox (Graph)?

It is built and maintained by Thomas J. Radman (@tradmangh); the current version is v0.1.1.

More Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191115 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 Comments