← Back to Skills Marketplace
M365 Spam Manager
by
Thomas J. Radman
· GitHub ↗
· v0.1.2
614
Downloads
0
Stars
2
Active Installs
2
Versions
Install in OpenClaw
/install m365-spam-manager
Description
Manages Microsoft 365 junk mail by analyzing spam patterns, scoring suspicious emails, and assisting with review or automatic cleanup of Outlook/Exchange spa...
README (SKILL.md)
M365 Spam Manager (Microsoft Graph)
Installation
Requires Node.js + npm install in the skill folder:
cd skills/m365-spam-manager
npm install
Setup
Uses the same profile/credentials as m365-mailbox. Ensure you have a profile configured:
node skills/m365-mailbox/scripts/setup.mjs --profile tom-business ...
Usage
Review mode (default) — user must approve each action
# Analyze junk folder and show suspicious scores (review mode - default)
node skills/m365-spam-manager/scripts/analyze.mjs --profile tom-business-mail --mailbox [email protected]
# Move a false positive to inbox (requires confirmation)
node skills/m365-spam-manager/scripts/move-to-inbox.mjs --profile tom-business-mail --mailbox [email protected] --id \x3CMSG_ID>
# Move confirmed spam to learning folder
node skills/m365-spam-manager/scripts/move-to-learning.mjs --profile tom-business-mail --mailbox [email protected] --id \x3CMSG_ID>
Automatic mode (no confirmation)
# Auto-clean: move high-confidence spam to learning, medium to review
node skills/m365-spam-manager/scripts/auto-clean.mjs --profile tom-business-mail --mailbox [email protected] --threshold 80
Suspicious Score Calculation
The analyzer calculates a score (0-100) based on:
| Pattern | Points | Description |
|---|---|---|
| No unsubscribe link | +20 | Legitimate marketing must have one |
| Suspicious sender domain | +15 | Free email, misspellings, random strings |
| All caps subject | +10 | Spam often shouts |
| Excessive punctuation | +10 | !!!, ???, $$$ |
| Suspicious keywords | +15 | crypto, win, free, urgent, verify, bank, password, ... |
| Mismatched language | +10 | Subject in DE, body EN or vice versa |
| Known scam patterns | +25 | "Attention - suspected SPAM", fake invoices |
| Free email provider | +10 | gmail, yahoo, hotmail in From (not Reply-To) |
| No DKIM/SPF indication | +5 | Graph doesn't show auth results |
Score thresholds
- 0-30: Low suspicion — likely legitimate
- 31-70: Medium — review recommended
- 71-100: High — almost certainly spam
Policy
This skill respects the same policy as m365-mailbox:
read: autonomous (analyze, list)move: controlled (move to inbox/learning folder)
In review mode, the script always prompts for confirmation before moving emails.
Usage Guidance
This skill appears to implement what it claims (reading junk mail, scoring, labeling/moving messages via Microsoft Graph) but has a few inconsistencies you should handle before installing:
- The skill expects an m365-mailbox profile and token cache under ~/.openclaw/secrets/m365-mailbox (clientId/tenant and token cache). The skill metadata does not declare these config paths — verify those files exist and inspect them before use.
- The scripts will read and may write the token cache file. Make a backup of your token cache/profile before running and ensure you trust the author.
- Confirm the Graph permissions requested (Mail.Read, Mail.ReadWrite) are appropriate for your use case. Prefer running in review/dry-run mode first (the code supports dry runs) before enabling any automatic 'move' operations.
- The code pulls dependencies from npm. Ensure you run npm install in a controlled environment and run with a Node version compatible with @azure/msal-node (msal may require Node >=20).
- Review the included scripts yourself (they are unobfuscated) or run them in a test account. There are no hidden network endpoints besides graph.microsoft.com and npm registries, but the registry source is unknown — prefer obtaining this skill from a trusted source or verifying the full code prior to use.
If you need higher assurance, request the skill publisher's homepage or source repository, or ask for metadata updates that declare the required config paths and Node engine constraints. If you cannot inspect or verify the token/profile files, treat the skill as untrusted for production mailboxes.
Capability Analysis
Type: OpenClaw Skill
Name: m365-spam-manager
Version: 0.1.2
The OpenClaw AgentSkills skill bundle 'm365-spam-manager' is classified as benign. Its purpose is to analyze and manage Microsoft 365 spam, which it achieves by interacting with the Microsoft Graph API. The skill uses appropriate `Mail.Read` and `Mail.ReadWrite` permissions for its stated functions (reading, categorizing, and moving emails). Credential handling is secure, storing tokens and configuration in the expected `~/.openclaw/secrets/m365-mailbox` directory, and command-line arguments are properly sanitized (e.g., `encodeURIComponent` for URL parameters in `scripts/_graph.mjs`, `scripts/analyze.mjs`, `scripts/move-to-inbox.mjs`, `scripts/move-to-learning.mjs`). There is no evidence of malicious intent, data exfiltration to unauthorized endpoints, persistence mechanisms, or prompt injection attempts in `SKILL.md`.
Capability Assessment
Purpose & Capability
The name/description (M365 spam manager) align with the code: scripts use Microsoft Graph to read and label/move mail, create categories, and compute spam scores. The dependency (@azure/msal-node) is expected. However the skill depends on an external profile/token cache created by a separate 'm365-mailbox' setup (profile files under ~/.openclaw/secrets/m365-mailbox). The skill's registry metadata declared no config paths / credentials, which is inconsistent with the code that requires those profile and token cache files.
Instruction Scope
SKILL.md instructs running npm install and using an m365-mailbox profile; the runtime scripts read and (in MSAL's afterCacheAccess) may write the token cache file under the user's home (~/.openclaw/secrets/m365-mailbox). Scripts also create mailbox categories and folders and call Graph endpoints. There are no other external endpoints or obfuscated network calls. The concern is the instructions/code assume and access local secrets/config files that are not declared in metadata and that the README does not fully surface (token caches, exact path, required Node version).
Install Mechanism
There is no registry install spec; SKILL.md asks the user to run npm install in the skill folder. Dependencies come from npm (package-lock.json lists @azure/msal-node and other normal libs) — this is standard. Note: msal's package metadata indicates newer Node engine requirements (msal-node lists node >=20), while SKILL.md just says 'Node.js + npm', which could cause runtime issues if node version is older.
Credentials
The skill requests no environment variables in registry metadata, but the code requires access to profile configuration and token cache files in ~/.openclaw/secrets/m365-mailbox (reads cfg to get clientId and tenant, reads and may overwrite token cache). Those files contain sensitive authentication data / tokens. It's reasonable for a Graph mailbox tool to need mailbox tokens, but the metadata should declare these config-path requirements. The skill also requires Mail.Read or Mail.ReadWrite Graph scopes depending on the script — that matches functionality but should be highlighted to users.
Persistence & Privilege
The skill is not always: true and does not request system-wide persistent privilege. It can write to its own token cache file via MSAL (typical) and it will create categories/folders in the mailbox (expected). It does not modify other skills or system config. Autonomous invocation is allowed (default), which increases blast radius but is normal for skills; combine with other flags before granting broad trust.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install m365-spam-manager - After installation, invoke the skill by name or use
/m365-spam-manager - Provide required inputs per the skill's parameter spec and get structured output
Version History
v0.1.2
Major scoring improvement: known spammers (Temu, Lowes, kaballeros) now auto-score 90+, plus suspicious TLDs, free email providers, urgency/money/scam keywords, legit company check to reduce false positives.
v0.1.0
Initial release: analyze junk folder, calculate suspicious score (0-100) based on patterns (no unsubscribe, free email, scam keywords, language mismatch, etc.), move false positives to inbox, move confirmed spam to learning folder (Junk Examples). Review mode default.
Metadata
Frequently Asked Questions
What is M365 Spam Manager?
Manages Microsoft 365 junk mail by analyzing spam patterns, scoring suspicious emails, and assisting with review or automatic cleanup of Outlook/Exchange spa... It is an AI Agent Skill for Claude Code / OpenClaw, with 614 downloads so far.
How do I install M365 Spam Manager?
Run "/install m365-spam-manager" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is M365 Spam Manager free?
Yes, M365 Spam Manager is completely free (open-source). You can download, install and use it at no cost.
Which platforms does M365 Spam Manager support?
M365 Spam Manager is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created M365 Spam Manager?
It is built and maintained by Thomas J. Radman (@tradmangh); the current version is v0.1.2.
More Skills