← Back to Skills Marketplace
Outlook for Work/School 365
by
Blake Lucas
· GitHub ↗
· v1.0.0
404
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install outlook-365
Description
Read, search, and manage Outlook emails and calendar via Microsoft Graph API. Use when the user asks about emails, inbox, Outlook, Microsoft mail, calendar e...
Usage Guidance
This skill appears to do what it says, but be aware of these practical security points before installing: 1) The automated setup will create an Azure App Registration and a client secret in the authenticated Azure account/tenant — that requires appropriate privileges and may require admin consent for some tenants. 2) The client_secret and OAuth tokens are stored on disk at ~/.outlook-mcp/config.json and credentials.json; anyone with access to those files could use them to access your mailbox until you revoke them. 3) If you prefer tighter control, perform the manual setup (references/setup.md) and create the app yourself in the Azure Portal, then paste only the minimal config into ~/.outlook-mcp. 4) After use, revoke the app secret or delete the App Registration and remove ~/.outlook-mcp to invalidate access. 5) Inspect the included scripts (they are plain shell) before running and ensure az, jq, and curl are trusted on your system.
Capability Analysis
Type: OpenClaw Skill
Name: outlook-365
Version: 1.0.0
The skill bundle contains critical shell injection vulnerabilities in 'outlook-mail.sh' and 'outlook-calendar.sh' because unsanitized variables (such as $SUBJECT, $BODY, and $QUERY) are used within double-quoted strings in curl commands, which allows for Remote Code Execution (RCE) if the agent processes untrusted input. Additionally, the 'download' command in 'outlook-mail.sh' is vulnerable to path traversal through the attachment name. While the scripts are functionally aligned with their stated purpose of managing Microsoft Outlook data, these significant security flaws and the broad API permissions required (Mail.ReadWrite, Calendars.ReadWrite) present a high risk to the host environment.
Capability Assessment
Purpose & Capability
Name/description match the code: scripts call Microsoft Graph, perform calendar and mail operations, and the setup creates an Azure app registration and requests Mail.ReadWrite, Mail.Send, Calendars.ReadWrite and offline_access scopes — all expected for full mailbox/calendar management.
Instruction Scope
Runtime instructions direct the user to run an automated setup that logs into Azure, creates an app registration, creates a client secret, guides user authorization, and saves tokens and credentials under ~/.outlook-mcp. This is consistent with the skill's purpose but does store sensitive credentials and tokens on disk; the scripts do not appear to read unrelated files or exfiltrate data to third-party endpoints.
Install Mechanism
No external install/download is performed by the skill bundle; it is instruction+script based and relies on local tools (az, jq, curl). There are no obscure or remote installers, and no extracted archives or external binaries fetched by the skill.
Credentials
The skill requests no platform env vars but creates and stores a client_id/client_secret/tenant and access/refresh tokens in ~/.outlook-mcp — this is necessary for a confidential OAuth client but is sensitive. The OAuth scopes requested are appropriate for the stated mail/calendar functionality.
Persistence & Privilege
always:false and the skill does not auto-enable itself. It will create an Azure App Registration and a client secret in the user's tenant (if the authenticated account has permissions) and write config/tokens to the user's home directory — side effects that affect the user's Azure tenant and local filesystem but are expected for this functionality.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install outlook-365 - After installation, invoke the skill by name or use
/outlook-365 - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
Outlook 365 Skill v1.3.0
- Added full calendar support: view, create, update, and delete events; list calendars; check availability.
- New scripts for calendar management (`outlook-calendar.sh`).
- Expanded email features: advanced searching, focused inbox, categories, bulk operations, folder management, and stats.
- Improved setup automation via `outlook-setup.sh`; simplified credential handling.
- Enhanced troubleshooting and detailed usage examples in documentation.
Metadata
Frequently Asked Questions
What is Outlook for Work/School 365?
Read, search, and manage Outlook emails and calendar via Microsoft Graph API. Use when the user asks about emails, inbox, Outlook, Microsoft mail, calendar e... It is an AI Agent Skill for Claude Code / OpenClaw, with 404 downloads so far.
How do I install Outlook for Work/School 365?
Run "/install outlook-365" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Outlook for Work/School 365 free?
Yes, Outlook for Work/School 365 is completely free (open-source). You can download, install and use it at no cost.
Which platforms does Outlook for Work/School 365 support?
Outlook for Work/School 365 is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Outlook for Work/School 365?
It is built and maintained by Blake Lucas (@mts-blake-lucas); the current version is v1.0.0.
More Skills