← Back to Skills Marketplace

Ms Graph Calendar

Name: Ms Graph Calendar
Author: artisong

by ARTISONG · GitHub ↗ · v1.0.2

cross-platform ⚠ suspicious

365

Downloads

Stars

Active Installs

Versions

Install in OpenClaw

/install ms-graph-calendar

Description

Find available meeting times and free/busy slots for company employees using Microsoft Graph API. Use when user asks to schedule a meeting, find a free slot,...

Usage Guidance

This skill appears to implement what it claims (find free/busy via Microsoft Graph) but contains a few security inconsistencies you should address before use: - Do not run this on a shared machine without changes: get-token.js prints the raw access token to stdout and writes it to a temp file in the system temp directory. That token could be captured by logs or read by other local users/processes. Consider editing get-token.js to remove the console.log of the access token and to write the token file with restrictive permissions (e.g., fs.writeFileSync(path, data, { mode: 0o600 })). - If you prefer not to store credentials on disk, set AZURE_* env vars in a secure runtime (CI secret store, environment with restricted access) and avoid running setup.js. - Ensure the Azure App has least privilege: only grant Calendars.Read and User.Read.All as needed, and follow the README's recommendation to apply an App Access Policy in Exchange Online so the app cannot read all mailboxes unless required. Have an admin grant consent rather than using broader rights. - After testing, rotate the client secret if you accidentally exposed it (e.g., pasted it into chat or console logs). Remove the token file from /tmp if it exists. - Minor doc/code mismatches: curl is listed as required but not used by the scripts; SKILL.md mentions a device code flow though the code uses client credentials flow. If you do not control the registry/source, prefer reviewing the code and running it in an isolated environment (container or VM) before giving it production credentials. If you cannot or will not make these changes, treat the skill as risky and avoid installing it on multi-user systems or where console output is logged/collected.

Capability Analysis

Type: OpenClaw Skill Name: ms-graph-calendar Version: 1.0.2 This skill bundle is designed to interact with the Microsoft Graph API for calendar and user information. It requests read-only permissions (`Calendars.Read`, `User.Read.All`). Credentials (`AZURE_TENANT_ID`, `AZURE_CLIENT_ID`, `AZURE_CLIENT_SECRET`) are stored securely in `~/.openclaw/ms-graph-calendar.json` with `0o600` permissions by `scripts/setup.js`. Access tokens are temporarily stored in `os.tmpdir()` by `scripts/get-token.js`. All network communication is directed to `login.microsoftonline.com` and `graph.microsoft.com`. User inputs are sanitized using `encodeURIComponent` before being included in API requests. The `SKILL.md` provides clear, transparent instructions for the AI agent, explicitly stating read-only access and no logging of credentials, with no evidence of prompt injection attempts or malicious intent.

Capability Assessment

✓ Purpose & Capability

The name/description (Microsoft Graph calendar free/busy lookup) matches the required env vars (AZURE_TENANT_ID, AZURE_CLIENT_ID, AZURE_CLIENT_SECRET) and the included Node.js scripts which call Microsoft Graph. Required binaries include node (used by scripts); curl is listed but not used by the shipped scripts (minor mismatch).

⚠ Instruction Scope

SKILL.md instructs the agent and operator to collect Azure credentials and run the included scripts; the instructions are concrete and limited to resolving names and calling Graph endpoints. However the docs state "Credentials are read from env vars only — never log or echo them", while get-token.js both prints the access token to stdout and writes it to /tmp/openclaw-graph-token.json. That contradicts the stated 'never log' guidance and creates an accidental disclosure risk if console output is captured.

✓ Install Mechanism

This is an instruction-only skill with Node.js scripts included; there is no external download or installer. No risky install URLs or extracted archives are present. The only runtime requirement is Node (and curl is listed but unused).

⚠ Credentials

Requested environment variables are appropriate for an app-only Microsoft Graph integration. However: (1) the skill caches and reuses an app access token by writing it to a temp file in the system temp directory without setting secure file permissions, which can expose the token to other local users; (2) get-token.js prints the access token to stdout (contradicting the README). These behaviours are not justified by the stated purpose and increase the blast radius of leaked credentials.

ℹ Persistence & Privilege

The skill writes persistent credentials to ~/.openclaw/ms-graph-calendar.json (setup sets file mode 600) and writes the access token to the system temp directory (no explicit mode). It does not request always: true and does not attempt to modify other skills. Persisting the client secret in the home config is expected for convenience, but the unsecured token in /tmp is a risk and should be hardened or removed after use.

How to Use

Make sure OpenClaw is installed (local or Docker)
Run the install command in chat: /install ms-graph-calendar
After installation, invoke the skill by name or use /ms-graph-calendar
Provide required inputs per the skill's parameter spec and get structured output

Version History

v1.0.2

- Added scripts/setup.js for initial configuration of Azure credentials. - Updated documentation with a new "Setup" section describing how to prompt users for credentials and run the setup script. - Credentials are now stored securely in ~/.openclaw/ms-graph-calendar.json instead of requiring environment variables every time. - First-time and missing-credential onboarding flow improved for easier setup.

v1.0.1

- Moved all main Node.js scripts into a new scripts/ directory for better organization. - Added .clawhub/origin.json to track skill origin. - Clarified authentication configuration and device code flow in documentation. - No changes to functionality; this update is focused on file organization and clearer instructions. - Removed obsolete script files from the root directory.

v1.0.0

Initial release of ms-graph-calendar. - Find available meeting times and free/busy slots for company employees using Microsoft Graph API. - Supports resolving attendee nicknames, searching users, and mapping Thai names to emails. - Provides commands for finding mutual free slots or listing availability for individuals/groups. - Step-by-step usage instructions, including required Azure credentials and permission setup. - Read-only access to company calendars; cannot create or edit events. - Includes troubleshooting section for common errors and setup issues.

Metadata

Slug ms-graph-calendar

Version 1.0.2

License —

All-time Installs 1

Active Installs 1

Total Versions 3

Frequently Asked Questions

What is Ms Graph Calendar?

Find available meeting times and free/busy slots for company employees using Microsoft Graph API. Use when user asks to schedule a meeting, find a free slot,... It is an AI Agent Skill for Claude Code / OpenClaw, with 365 downloads so far.

How do I install Ms Graph Calendar?

Run "/install ms-graph-calendar" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Ms Graph Calendar free?

Yes, Ms Graph Calendar is completely free (open-source). You can download, install and use it at no cost.

Which platforms does Ms Graph Calendar support?

Ms Graph Calendar is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created Ms Graph Calendar?

It is built and maintained by ARTISONG (@artisong); the current version is v1.0.2.

More Skills