← Back to Skills Marketplace

Microsoft 365 Graph Openclaw

Name: Microsoft 365 Graph Openclaw
Author: draeden79

by draeden79 · GitHub ↗ · v0.2.2 · MIT-0

linuxdarwinwin32 ⚠ suspicious

497

Downloads

Stars

Active Installs

Versions

Install in OpenClaw

/install microsoft-365-graph-openclaw

Description

Microsoft 365 Graph for OpenClaw with webhook-based wake signals. Reduce recurring LLM cost from inbox polling while managing Outlook mail, calendar, OneDriv...

Usage Guidance

This repo appears to implement the described push-mode Graph integration, but you should not run the provided privileged setup scripts without review. Before installing: - Audit the setup scripts (run_mail_webhook_e2e_setup.sh, setup_mail_webhook_ec2.sh, run_mail_webhook_smoke_tests.sh, diagnose scripts) to see exactly what they install and what files they write under /etc and systemd. Use --dry-run where provided. - Do not rely on the default public client_id (Alitar) for production — register your own Entra app and use its client_id so tokens are under your control. - Expect to provide and securely store OPENCLAW_HOOK_TOKEN, OPENCLAW_HOOK_URL, and GRAPH_WEBHOOK_CLIENT_STATE; the registry metadata currently does not declare these env vars (metadata/documentation mismatch). Ensure these values are managed by a secrets manager and rotated if exposed. - Inspect state/graph_auth.json handling: it contains access/refresh tokens. Ensure the state directory permissions are locked down and is gitignored (the docs state it is ignored, but verify before committing). - If you will allow the scripts to patch OpenClaw config, back up ~/.openclaw/openclaw.json first and review any automated changes; prefer manual edits in sensitive/production environments. - If you cannot audit scripts or do not want services installed on the host, consider running the adapter/worker in a contained environment (container or separate VM) and avoid running the setup scripts with sudo. Given the privileged persistence and the metadata mismatch around required secrets, treat this skill as suspicious until you've completed the checks above and replaced the test client_id with one you control.

Capability Analysis

Type: OpenClaw Skill Name: microsoft-365-graph-openclaw Version: 0.2.2 The skill provides a complex Microsoft Graph integration with a push-based webhook architecture. It includes several high-risk shell scripts (scripts/setup_mail_webhook_ec2.sh and scripts/run_mail_webhook_e2e_setup.sh) that require root privileges to install systemd services, modify Caddy configurations, and programmatically patch the main OpenClaw configuration file (openclaw.json). While these actions are documented and aligned with the stated goal of automating a production-grade deployment, the broad system-level modifications and the use of a hardcoded third-party Client ID (952d1b34-682e-48ce-9c54-bac5a96cbd42) by default represent a significant security risk and attack surface.

Capability Assessment

ℹ Purpose & Capability

The repository contains a webhook adapter, subscription lifecycle tooling, a worker, and CLI helpers for mail/calendar/drive/contacts — which matches the skill description. Required binaries (python3, bash, curl) make sense. However, the SKILL.md and scripts expect several runtime secrets and service-level env values (OPENCLAW_HOOK_URL, OPENCLAW_HOOK_TOKEN, GRAPH_WEBHOOK_CLIENT_STATE, optional OPENCLAW_SESSION_KEY) that are not declared in the registry metadata's requires.env/primaryEnv. That metadata omission is an inconsistency you should be aware of.

ℹ Instruction Scope

Runtime instructions and scripts are focused on Graph OAuth, subscription management, enqueue/dedupe, and POSTing wake signals to OpenClaw — all within stated purpose. They reference and persist tokens in state/graph_auth.json and load runtime values from /etc/default/graph-mail-webhook; they also include an advanced mode to post richer payloads to /hooks/agent. Nothing in SKILL.md instructs reading unrelated host data, but the worker/adapter will call local OpenClaw endpoints and external Microsoft Graph APIs and will persist token-bearing files locally.

ℹ Install Mechanism

The registry shows no formal install spec (instruction-only), but the repo includes privileged setup scripts (run_mail_webhook_e2e_setup.sh, setup_mail_webhook_ec2.sh, diagnose and smoke-test scripts) that install Caddy, create systemd units, write /etc/default/graph-mail-webhook, and can patch OpenClaw config. The install is script-driven (sudo) — there is no packaged installer or verified release host in the metadata, so you should review the scripts before running them with root privileges.

⚠ Credentials

The skill operates with/needs sensitive secrets: OAuth tokens (state/graph_auth.json), OPENCLAW_HOOK_TOKEN, GRAPH_WEBHOOK_CLIENT_STATE, and an OpenClaw hook URL. These are justified by the task, but the registry metadata failing to declare required env vars / primary credential is a mismatch. Additionally, the project ships with a default public client_id (Alitar app) for quick testing — using that defaults to a third‑party app issuance of tokens unless you register your own App Registration, which has privacy/security implications in production.

⚠ Persistence & Privilege

The skill does not set always:true (good), but its setup scripts intentionally create persistent system services and write to system locations (/etc, systemd units) and may patch OpenClaw config and restart the service. That is high privilege and modifies runtime/system configuration; verify the scripts and prefer --dry-run or manual inspection before allowing automated changes. The ability to auto-configure OpenClaw (other component) increases blast radius if misused.

How to Use

Make sure OpenClaw is installed (local or Docker)
Run the install command in chat: /install microsoft-365-graph-openclaw
After installation, invoke the skill by name or use /microsoft-365-graph-openclaw
Provide required inputs per the skill's parameter spec and get structured output

Version History

v0.2.2

Version 0.2.2 - Updated documentation to clarify required and optional environment variables for push-mode setup. - Service-level runtime configuration now emphasizes systemd integration using `/etc/default/graph-mail-webhook`. - README, SKILL.md, and troubleshooting docs improved for minimal-input and e2e setup workflows. - Guidance for handling missing or auto-generated `GRAPH_WEBHOOK_CLIENT_STATE` variables in automation scripts. - No user-facing code changes; this release is documentation-focused.

v0.2.1

- Updated to version 0.2.1. - Removed the `primaryEnv` and `requires.env` fields from skill metadata for simpler environment variable handling. - No code changes; documentation and metadata only.

v0.2.0

- Added sudo requirement to the mail webhook smoke test command for consistent permissions in automated scenarios. - Updated documentation to clarify and unify setup instructions for automated EC2 bootstrap and end-to-end webhook setup. - Improved troubleshooting and minimal setup docs with clearer step-by-step instructions and readiness signal outputs. - Enhanced mail webhook smoke tests for robustness and validation feedback during push setup. - Documentation and usage examples refreshed in references and scripts for ease of onboarding and maintenance.

v0.1.6

Major 0.2.0 release with documentation restructure and file layout cleanup. - Moved scripts from `graph-office-suite/scripts/` to top-level `scripts/` - Permission profiles and all documentation now under `docs/` (added multiple new docs: setup, troubleshooting, minimal setup) - Updated all references in code and markdown to new file locations - Added essential project files: README.md, CONTRIBUTING.md, SECURITY.md, MAINTAINER-PUBLISHING.md, and CHANGELOG.md - Improved clarity, automation, and onboarding process in documentation and examples

v0.1.5

- Adds detailed usage and setup instructions for Microsoft 365 Graph integration with OpenClaw, including mail, calendar, OneDrive, and contacts operations. - Introduces webhook-based wake signals to reduce recurring LLM costs from inbox polling. - Documents push-first security model: explicit hook token authentication and clientState validation. - Provides example commands and scripts for OAuth device login, mailbox operations, file uploads, calendar events, contacts, and webhook server/worker setup. - Covers automated deployment steps and recommended security practices for tokens and configuration files.

Metadata

Slug microsoft-365-graph-openclaw

Version 0.2.2

License MIT-0

All-time Installs 4

Active Installs 4

Total Versions 5

Frequently Asked Questions

What is Microsoft 365 Graph Openclaw?

Microsoft 365 Graph for OpenClaw with webhook-based wake signals. Reduce recurring LLM cost from inbox polling while managing Outlook mail, calendar, OneDriv... It is an AI Agent Skill for Claude Code / OpenClaw, with 497 downloads so far.

How do I install Microsoft 365 Graph Openclaw?

Run "/install microsoft-365-graph-openclaw" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Microsoft 365 Graph Openclaw free?

Yes, Microsoft 365 Graph Openclaw is completely free, licensed under MIT-0. You can download, install and use it at no cost.

Which platforms does Microsoft 365 Graph Openclaw support?

Microsoft 365 Graph Openclaw is cross-platform and runs anywhere OpenClaw / Claude Code is available (linux, darwin, win32).

Who created Microsoft 365 Graph Openclaw?

It is built and maintained by draeden79 (@draeden79); the current version is v0.2.2.

More Skills