← 返回 Skills 市场
Microsoft 365
作者
Robert Janssen
· GitHub ↗
· v1.0.2
1017
总下载
0
收藏
2
当前安装
3
版本数
在 OpenClaw 中安装
/install microsoft365
功能描述
Microsoft 365 integration for Outlook, Calendar, Contacts, and OneDrive via Microsoft Graph API. Supports reading/sending emails, managing calendar events, a...
安全使用建议
This skill appears to do what it claims: a local Microsoft Graph client using Device Code Flow. Before installing, consider the following: (1) Tokens and refresh tokens are stored locally under ~/.openclaw/credentials/ms365.tokens.<account>.json — treat those files as sensitive and don't share them. (2) The skill will load an optional ~/.openclaw/credentials/ms365.env and will respect OPENCLAW_HOME if set — verify that file's contents before use. (3) When you register the Azure app, limit OAuth scopes to the minimum needed (the bundled scopes are broad and allow file and mail write access). (4) There's a small documentation mismatch (README reference to tokens.json) — if you rely on repository-local token storage, be aware the code writes to ~/.openclaw instead. (5) Review the included source if you need assurance; network calls go to Microsoft endpoints only. If you want stricter guarantees, create a dedicated Azure app with minimal scopes and test in a low-privilege account first.
功能分析
Type: OpenClaw Skill
Name: microsoft365
Version: 1.0.2
The skill is classified as suspicious primarily due to a potential path traversal vulnerability in the `uploadFile` function within `src/api.js`. The `fileName` parameter, which can be user-controlled, is directly interpolated into the Microsoft Graph API URL path (`/me/drive/root:/${fileName}:/content`). If the Graph API does not sufficiently sanitize or restrict `fileName` (e.g., against `../` sequences), an attacker could potentially upload files to unintended locations within the user's OneDrive. Additionally, the skill requests broad permissions (`Files.ReadWrite.All`, `Mail.Send`, `Calendars.ReadWrite`, `Contacts.ReadWrite`), which, while necessary for its stated functionality, increase the impact if any vulnerability were exploited. There is no evidence of intentional malicious behavior like exfiltration to unauthorized endpoints or prompt injection in `SKILL.md`.
能力评估
Purpose & Capability
Name/description (Outlook, Calendar, Contacts, OneDrive via Microsoft Graph) match the code and required env vars (MICROSOFT_CLIENT_ID, MICROSOFT_TENANT_ID). The skill needs Node and makes Graph API calls for the listed features; requested binaries/envs are appropriate.
Instruction Scope
Runtime instructions are limited to running node index.js, registering an Azure app, and following the device-code flow. The skill loads an optional ~/.openclaw/credentials/ms365.env and stores tokens under ~/.openclaw/credentials/ms365.tokens.<account>.json — this is within scope for a local Graph client but is an important behavior to be aware of. Minor inconsistency: README mentions tokens.json in the repo while the code uses ~/.openclaw/credentials for token storage.
Install Mechanism
No install/download spec; code is included and runs under Node. package.json has no external dependencies and there are no remote installers or fetched archives, so install risk is low.
Credentials
Declared env vars (MICROSOFT_CLIENT_ID, MICROSOFT_TENANT_ID) are appropriate. The code also accepts optional client secret envs (MICROSOFT_CLIENT_SECRET or account-prefixed variants) and reads OPENCLAW_HOME if present to locate credentials — OPENCLAW_HOME is not declared in metadata but its use is benign. The OAuth scopes requested are broad (Files.ReadWrite.All, Mail.Send, Calendars.ReadWrite, Contacts.ReadWrite), which matches functionality but means the app has wide access; consider limiting scopes when registering the app.
Persistence & Privilege
The skill persists tokens to a user-scoped directory (~/.openclaw/credentials) and does not request always:true or modify other skills. Autonomous invocation is allowed by platform default (disable-model-invocation=false) but this is normal and not excessive here.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install microsoft365 - 安装完成后,直接呼叫该 Skill 的名称或使用
/microsoft365触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.2
Fixed security scanner issues: updated metadata to declare env vars and removed debug logging of ClientID
v1.0.1
Updated documentation to match implementation and translated to English
v1.0.0
Initial publish of custom MS integration
元数据
常见问题
Microsoft 365 是什么?
Microsoft 365 integration for Outlook, Calendar, Contacts, and OneDrive via Microsoft Graph API. Supports reading/sending emails, managing calendar events, a... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 1017 次。
如何安装 Microsoft 365?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install microsoft365」即可一键安装,无需额外配置。
Microsoft 365 是免费的吗?
是的,Microsoft 365 完全免费(开源免费),可自由下载、安装和使用。
Microsoft 365 支持哪些平台?
Microsoft 365 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Microsoft 365?
由 Robert Janssen(@robert-janssen)开发并维护,当前版本 v1.0.2。
推荐 Skills