← 返回 Skills 市场

Ms Graph Calendar

Name: Ms Graph Calendar
Author: artisong

作者 ARTISONG · GitHub ↗ · v1.0.2

cross-platform ⚠ suspicious

365

总下载

当前安装

版本数

在 OpenClaw 中安装

/install ms-graph-calendar

功能描述

Find available meeting times and free/busy slots for company employees using Microsoft Graph API. Use when user asks to schedule a meeting, find a free slot,...

安全使用建议

This skill appears to implement what it claims (find free/busy via Microsoft Graph) but contains a few security inconsistencies you should address before use: - Do not run this on a shared machine without changes: get-token.js prints the raw access token to stdout and writes it to a temp file in the system temp directory. That token could be captured by logs or read by other local users/processes. Consider editing get-token.js to remove the console.log of the access token and to write the token file with restrictive permissions (e.g., fs.writeFileSync(path, data, { mode: 0o600 })). - If you prefer not to store credentials on disk, set AZURE_* env vars in a secure runtime (CI secret store, environment with restricted access) and avoid running setup.js. - Ensure the Azure App has least privilege: only grant Calendars.Read and User.Read.All as needed, and follow the README's recommendation to apply an App Access Policy in Exchange Online so the app cannot read all mailboxes unless required. Have an admin grant consent rather than using broader rights. - After testing, rotate the client secret if you accidentally exposed it (e.g., pasted it into chat or console logs). Remove the token file from /tmp if it exists. - Minor doc/code mismatches: curl is listed as required but not used by the scripts; SKILL.md mentions a device code flow though the code uses client credentials flow. If you do not control the registry/source, prefer reviewing the code and running it in an isolated environment (container or VM) before giving it production credentials. If you cannot or will not make these changes, treat the skill as risky and avoid installing it on multi-user systems or where console output is logged/collected.

功能分析

Type: OpenClaw Skill Name: ms-graph-calendar Version: 1.0.2 This skill bundle is designed to interact with the Microsoft Graph API for calendar and user information. It requests read-only permissions (`Calendars.Read`, `User.Read.All`). Credentials (`AZURE_TENANT_ID`, `AZURE_CLIENT_ID`, `AZURE_CLIENT_SECRET`) are stored securely in `~/.openclaw/ms-graph-calendar.json` with `0o600` permissions by `scripts/setup.js`. Access tokens are temporarily stored in `os.tmpdir()` by `scripts/get-token.js`. All network communication is directed to `login.microsoftonline.com` and `graph.microsoft.com`. User inputs are sanitized using `encodeURIComponent` before being included in API requests. The `SKILL.md` provides clear, transparent instructions for the AI agent, explicitly stating read-only access and no logging of credentials, with no evidence of prompt injection attempts or malicious intent.

能力评估

✓ Purpose & Capability

The name/description (Microsoft Graph calendar free/busy lookup) matches the required env vars (AZURE_TENANT_ID, AZURE_CLIENT_ID, AZURE_CLIENT_SECRET) and the included Node.js scripts which call Microsoft Graph. Required binaries include node (used by scripts); curl is listed but not used by the shipped scripts (minor mismatch).

⚠ Instruction Scope

SKILL.md instructs the agent and operator to collect Azure credentials and run the included scripts; the instructions are concrete and limited to resolving names and calling Graph endpoints. However the docs state "Credentials are read from env vars only — never log or echo them", while get-token.js both prints the access token to stdout and writes it to /tmp/openclaw-graph-token.json. That contradicts the stated 'never log' guidance and creates an accidental disclosure risk if console output is captured.

✓ Install Mechanism

This is an instruction-only skill with Node.js scripts included; there is no external download or installer. No risky install URLs or extracted archives are present. The only runtime requirement is Node (and curl is listed but unused).

⚠ Credentials

Requested environment variables are appropriate for an app-only Microsoft Graph integration. However: (1) the skill caches and reuses an app access token by writing it to a temp file in the system temp directory without setting secure file permissions, which can expose the token to other local users; (2) get-token.js prints the access token to stdout (contradicting the README). These behaviours are not justified by the stated purpose and increase the blast radius of leaked credentials.

ℹ Persistence & Privilege

The skill writes persistent credentials to ~/.openclaw/ms-graph-calendar.json (setup sets file mode 600) and writes the access token to the system temp directory (no explicit mode). It does not request always: true and does not attempt to modify other skills. Persisting the client secret in the home config is expected for convenience, but the unsecured token in /tmp is a risk and should be hardened or removed after use.

如何使用

确保已安装 OpenClaw（本地或 Docker 部署）
在对话框中输入安装命令：/install ms-graph-calendar
安装完成后，直接呼叫该 Skill 的名称或使用 /ms-graph-calendar 触发
根据 Skill 的参数说明提供必要输入，即可获得结构化输出

版本历史

v1.0.2

- Added scripts/setup.js for initial configuration of Azure credentials. - Updated documentation with a new "Setup" section describing how to prompt users for credentials and run the setup script. - Credentials are now stored securely in ~/.openclaw/ms-graph-calendar.json instead of requiring environment variables every time. - First-time and missing-credential onboarding flow improved for easier setup.

v1.0.1

- Moved all main Node.js scripts into a new scripts/ directory for better organization. - Added .clawhub/origin.json to track skill origin. - Clarified authentication configuration and device code flow in documentation. - No changes to functionality; this update is focused on file organization and clearer instructions. - Removed obsolete script files from the root directory.

v1.0.0

Initial release of ms-graph-calendar. - Find available meeting times and free/busy slots for company employees using Microsoft Graph API. - Supports resolving attendee nicknames, searching users, and mapping Thai names to emails. - Provides commands for finding mutual free slots or listing availability for individuals/groups. - Step-by-step usage instructions, including required Azure credentials and permission setup. - Read-only access to company calendars; cannot create or edit events. - Includes troubleshooting section for common errors and setup issues.

元数据

Slug ms-graph-calendar

版本 1.0.2

许可证 —

累计安装 1

当前安装数 1

历史版本数 3

常见问题

Ms Graph Calendar 是什么？

Find available meeting times and free/busy slots for company employees using Microsoft Graph API. Use when user asks to schedule a meeting, find a free slot,... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件，目前累计下载 365 次。

如何安装 Ms Graph Calendar？

在 OpenClaw 或 Claude Code 对话框中运行命令「/install ms-graph-calendar」即可一键安装，无需额外配置。

Ms Graph Calendar 是免费的吗？

是的，Ms Graph Calendar 完全免费（开源免费），可自由下载、安装和使用。

Ms Graph Calendar 支持哪些平台？

Ms Graph Calendar 跨平台运行，可在任意部署了 OpenClaw / Claude Code 的环境中使用（cross-platform）。

谁开发了 Ms Graph Calendar？

由 ARTISONG（@artisong）开发并维护，当前版本 v1.0.2。