← 返回 Skills 市场
M365 Mailbox (Graph)
作者
Thomas J. Radman
· GitHub ↗
· v0.1.1
976
总下载
1
收藏
8
当前安装
2
版本数
在 OpenClaw 中安装
/install m365-mailbox
功能描述
Automate Microsoft 365 mailbox tasks via Microsoft Graph: read, search, draft, send emails for Business and Consumer accounts with device code authentication.
使用说明 (SKILL.md)
M365 Mailbox (Microsoft Graph)
Installation / runtime requirements
- Requires Node.js (scripts are Node ESM).
- This skill declares its npm dependency in
package.json. - After installing/updating the skill, install deps:
cd skills/m365-mailbox
npm install
Security / boundaries
- Never commit or share token caches.
- Default secret location (per machine):
~/.openclaw/secrets/m365-mailbox/
Setup philosophy (permission-aware)
During setup, the user chooses:
- What Graph permissions to request (minimal vs broad)
- What OpenClaw is allowed to do autonomously vs what must ask for confirmation
Two modes:
- Minimal-consent mode (more secure): request only the scopes required for the chosen feature set.
- Broad-consent mode (more flexible): request a superset of scopes, but enforce an autonomy policy locally.
Quick start
0) First question: connect M365 Business or M365 Home/Consumer?
- Home/Consumer =
hotmail.com,outlook.com,live.com - Business = Work/School account (Exchange Online)
1) Privacy / keys
- No third-party API key required.
- Auth is done via your own Microsoft login (device code flow).
- Tokens are stored locally per profile on the OpenClaw machine.
2) One-command setup (interactive)
node skills/m365-mailbox/scripts/setup.mjs --profile home --tenant consumers --email [email protected] --clientId \x3CYOUR_APP_CLIENT_ID> --tz Europe/Vienna
node skills/m365-mailbox/scripts/setup.mjs --profile business --tenant organizations --email [email protected] --clientId \x3CIT_PROVIDED_CLIENT_ID> --tz Europe/Vienna
3) Use (examples)
node skills/m365-mailbox/scripts/list-unread.mjs --profile home --top 20
node skills/m365-mailbox/scripts/search.mjs --profile home --query "invoice" --top 20
node skills/m365-mailbox/scripts/get-message.mjs --profile home --id \x3CMSG_ID>
node skills/m365-mailbox/scripts/create-draft.mjs --profile home --to [email protected] --subject "Hi" --body "..."
node skills/m365-mailbox/scripts/send-draft.mjs --profile home --id \x3CDRAFT_ID>
Business note (users without IT admin rights)
Many tenants block:
- creating app registrations as a normal user
- user consent to new apps
Mail.SendorMail.ReadWritewithout admin consent
In that case this skill can still work for Business accounts, but only if your IT/SysAdmin provides a clientId for an app registration configured with:
- Delegated Microsoft Graph permissions (depending on your chosen feature set):
Mail.Read,Mail.ReadWrite,Mail.Send, (optional)offline_access - Public client flows enabled (Device Code)
- (Often required) Admin consent granted
If you don’t get such a clientId/consent from IT, you can still use the skill with a Consumer account.
安全使用建议
This skill appears to do what it says: it uses Microsoft device-code OAuth and Microsoft Graph calls and stores tokens locally. Before installing: 1) Ensure you run it on a machine with a compatible Node version (msal-node requires Node >=20). 2) Provide a legitimate clientId (for business accounts you may need an IT-provided app with admin consent). 3) Review and protect the token/cache directory (~/.openclaw/secrets/m365-mailbox); do not commit or share it. 4) Prefer minimal-consent mode and keep 'send' behind confirmation unless you explicitly trust autonomous sending. 5) Because npm dependencies are pulled at install time, only install if you trust the skill source or are prepared to audit the included package-lock.json and code (all source files are included in the bundle).
功能分析
Type: OpenClaw Skill
Name: m365-mailbox
Version: 0.1.1
The OpenClaw AgentSkills skill bundle for M365 Mailbox is classified as benign. It provides legitimate Microsoft Graph API automation for email management, using the official `@azure/msal-node` library for authentication. Key security features include local storage of authentication tokens in a designated OpenClaw secrets directory (`~/.openclaw/secrets/m365-mailbox/`), explicit user consent for Graph API permissions during setup (`scripts/setup.mjs`), and a robust policy enforcement mechanism (`scripts/_policy.mjs`) that allows users to define allowed actions (read, draft, send) and require confirmation for sensitive operations like sending emails. Input sanitization is applied where necessary (e.g., `encodeURIComponent` for URL parameters), and all network communication is directed to the legitimate `graph.microsoft.com` endpoint. There is no evidence of data exfiltration to unauthorized destinations, arbitrary code execution, persistence mechanisms, or prompt injection attempts in `SKILL.md`.
能力评估
Purpose & Capability
Name/description match the included scripts: the files implement Microsoft Graph mailbox operations (list, search, read, draft, send) and use MSAL device-code flow. Declared dependencies (@azure/msal-node) and setup requiring a clientId are appropriate for this purpose.
Instruction Scope
Runtime instructions direct the agent to run the provided Node ESM scripts and to store per-profile config/token cache under ~/.openclaw/secrets/m365-mailbox; scripts only access those files and Microsoft endpoints (login.microsoftonline.com and graph.microsoft.com). Note: msal-node in package-lock requires Node >=20 and the code uses global fetch (Node 18+ has experimental fetch, Node 20 stable) — SKILL.md states 'Node.js' but does not specify a minimum version; ensure your Node version matches the dependency requirements.
Install Mechanism
There is no remote download/install step in the skill bundle; dependencies are standard npm packages (resolved via npm registry). The SKILL.md asks the user to run npm install in the skill folder — expected for this kind of Node-based skill. Risk is typical for pulling npm deps: review/lock dependencies if you require stricter controls.
Credentials
The skill requests no environment variables or unrelated credentials. It requires a user-supplied Microsoft App clientId and tenant (expected for delegated OAuth device-code flow). Tokens and profile config are persisted locally; this is proportional but sensitive — anyone with filesystem access to the token cache can use those tokens until revoked/expired.
Persistence & Privilege
always:false and user-invocable:true (default) — no forced global inclusion. The skill stores its own files in ~/.openclaw/secrets/m365-mailbox (its own namespace) and does not modify other skills or system-wide configs. It implements a local policy to require confirmation for write/send operations by default, which limits autonomous outbound writes.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install m365-mailbox - 安装完成后,直接呼叫该 Skill 的名称或使用
/m365-mailbox触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v0.1.1
Add --mailbox flag to access shared mailboxes (e.g. [email protected]).
v0.1.0
Initial release: permission-aware setup (minimal vs broad consent + local autonomy policy), list/search/read mail, create drafts, send drafts (policy-gated).
元数据
常见问题
M365 Mailbox (Graph) 是什么?
Automate Microsoft 365 mailbox tasks via Microsoft Graph: read, search, draft, send emails for Business and Consumer accounts with device code authentication. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 976 次。
如何安装 M365 Mailbox (Graph)?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install m365-mailbox」即可一键安装,无需额外配置。
M365 Mailbox (Graph) 是免费的吗?
是的,M365 Mailbox (Graph) 完全免费(开源免费),可自由下载、安装和使用。
M365 Mailbox (Graph) 支持哪些平台?
M365 Mailbox (Graph) 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 M365 Mailbox (Graph)?
由 Thomas J. Radman(@tradmangh)开发并维护,当前版本 v0.1.1。
推荐 Skills