← 返回 Skills 市场
nathanatgit

Ms Todo Oauth

作者 nathanatgit · GitHub ↗ · v1.0.4
cross-platform ⚠ suspicious
899
总下载
0
收藏
2
当前安装
5
版本数
在 OpenClaw 中安装
/install ms-todo-oauth
功能描述
A robust CLI skill to manage Microsoft To Do tasks via Microsoft Graph API. Supports full task lifecycle management including lists, tasks with priorities, due dates, reminders, recurrence patterns, views, search, and data export. Includes comprehensive test suite for reliability. THIS IS A REVISED OAUTH2-BASED VERSION OF ms-todo-sync with AI ASSISTANCE. ALL CREDITS TO THE ORIGINAL AUTHOR.
安全使用建议
What to consider before installing or running this skill: - The package explicitly contains an Azure client_id (visible) and, per SKILL.md, a client_secret embedded in scripts/ms-todo-oauth.py. Hard-coded client secrets in distributed code are risky: they may be leaked, abused, or revoked without your knowledge. Expect the code to use those credentials unless you replace them. - Prefer creating your own Azure app registration and replacing the client_id/client_secret in the code (or better: modify the script to read client_id and client_secret from environment variables or a local config file). If you use the included secret, treat it as untrusted and rotate/revoke it after use. - Tests will run real operations against your Microsoft account (create/delete lists, add/delete tasks). Run tests only on an account you control and are willing to let the test suite modify. Consider creating a disposable Microsoft account for testing. - Inspect scripts/ms-todo-oauth.py yourself before running. Look for the client_secret literal (SKILL.md gives search strings like client_id="ca6ec244…" and client_secret="TwQ8Q…") and remove or replace it. Verify no other remote endpoints or data-exfiltration code exist (the README claims all API calls go to graph.microsoft.com, which matches the visible code, but double-check the rest of the file). - The package documentation and test suite use 'uv run' in many examples; that wrapper may not be installed on your system. The package will still run with python3 directly, but tests/examples may fail if you follow docs verbatim. - If you lack the ability to audit code, do not run this against your primary Microsoft account. Instead, run in an isolated environment and with credentials you can revoke. - If you decide to proceed: (1) audit the repository for the hard-coded secret and remove or replace it, (2) adjust the code to read credentials from environment variables, (3) run tests on a disposable account, and (4) consider scanning the package with additional static analysis tools.
功能分析
Type: OpenClaw Skill Name: ms-todo-oauth Version: 1.0.4 The skill is classified as suspicious due to a critical security vulnerability: the hardcoded Azure AD application client ID and client secret in `scripts/ms-todo-oauth.py`. While the `SKILL.md` documentation acknowledges this and suggests replacement, its presence in the distributed code makes the application highly susceptible to compromise if the secret is leaked or revoked. This is a significant flaw that allows potential attacks, rather than proof of intentional malicious behavior. All network calls are directed to `graph.microsoft.com`, and no other indicators of malice (e.g., data exfiltration to unauthorized endpoints, persistence mechanisms, or prompt injection attempts against the agent) were found.
能力评估
Purpose & Capability
The name/description match the code and dependencies: the package uses msal and graph.microsoft.com as expected for a Microsoft To Do CLI. However, the SKILL.md explicitly states there is a generated Azure Client ID and Secret embedded in scripts/ms-todo-oauth.py while the registry metadata lists no required credentials — this is an inconsistency (the embedded secret is related to the skill purpose but should not be treated as an innocuous 'no-credentials' package). The test suite and docs also frequently show the use of the 'uv run' wrapper even though required binaries declared 'none'.
Instruction Scope
Runtime instructions stay within the expected scope: they direct an OAuth2 login flow, call Microsoft Graph endpoints, and persist a local token cache at ~/.mstodo_token_cache.json. The docs and tests explicitly instruct running an automated test suite that will create and delete lists in your Microsoft account — this is expected behavior for integration tests but important to know. The SKILL.md also instructs users to find and replace client_id/client_secret values in the Python script, which implies sensitive data is present inside the code rather than being injected via environment variables.
Install Mechanism
There is no external install script; this is instruction-and-code only. Dependencies are declared in requirements.txt (msal, requests), which is proportional to the described functionality. No remote downloads or unusual install steps are present.
Credentials
The package appears to include a built-in Azure Client ID (DEFAULT_CLIENT_ID is visible) and the SKILL.md warns that a client_secret is present in scripts/ms-todo-oauth.py. The skill declares no required env vars or primary credential, but the code uses msal.ConfidentialClientApplication (a confidential flow typically requiring a client_secret). Hard-coded client_secret values in source are disproportionate from a security perspective: they expose long-lived credentials and shift trust to whoever published this package. The script also persists tokens to ~/.mstodo_token_cache.json (expected for a CLI but persistent).
Persistence & Privilege
The skill persists OAuth tokens to ~/.mstodo_token_cache.json and registers an atexit handler to save cache — standard for a CLI client. Flags show no 'always: true' and no requests to modify other skills or system-wide configurations. Autonomous invocation is allowed (default), which is normal; combined with the embedded credential this increases blast radius somewhat, but the skill itself does not request elevated system privileges.
如何使用
  1. 确保已安装 OpenClaw(本地或 Docker 部署)
  2. 在对话框中输入安装命令:/install ms-todo-oauth
  3. 安装完成后,直接呼叫该 Skill 的名称或使用 /ms-todo-oauth 触发
  4. 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.4
- Added _meta.json file for enhanced metadata support. - Introduced test_ms_todo_oauth.py at project root to streamline testing. - Removed obsolete test script from scripts directory. - Updated SKILL.md with simplified setup instructions (native venv usage) and removed references to the "uv" tool. - All commands and documentation now reference Python's built-in venv for installation and running the CLI.
v1.0.3
Version 1.0.3 - Added a prominent security note with guidance on how to replace the embedded Azure Client ID and Secret for enhanced privacy. - Updated test instructions to reference the correct test file name: `test_ms_todo_oauth.py`. - No code changes; documentation improvements only.
v1.0.2
Skill.md updated
v1.0.1
Strings updated
v1.0.0
**Initial release of ms-todo-oauth: an OAuth2-based CLI for Microsoft To Do task management.** - Introduces a robust command-line interface to manage Microsoft To Do via Microsoft Graph API, supporting authentication via OAuth2. - Full task and list lifecycle management: create, update, complete, delete, search, and export tasks. - Rich task features: priorities, due dates, reminders, recurrence patterns, and advanced search. - Data export to JSON and multiple task views (today, overdue, statistics). - Comprehensive test coverage with 29 automated tests. - Unicode support including Chinese and emoji. - Requires Python 3.9+ and includes a secure OAuth2 token caching mechanism.
元数据
Slug ms-todo-oauth
版本 1.0.4
许可证
累计安装 2
当前安装数 2
历史版本数 5
常见问题

Ms Todo Oauth 是什么?

A robust CLI skill to manage Microsoft To Do tasks via Microsoft Graph API. Supports full task lifecycle management including lists, tasks with priorities, due dates, reminders, recurrence patterns, views, search, and data export. Includes comprehensive test suite for reliability. THIS IS A REVISED OAUTH2-BASED VERSION OF ms-todo-sync with AI ASSISTANCE. ALL CREDITS TO THE ORIGINAL AUTHOR. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 899 次。

如何安装 Ms Todo Oauth?

在 OpenClaw 或 Claude Code 对话框中运行命令「/install ms-todo-oauth」即可一键安装,无需额外配置。

Ms Todo Oauth 是免费的吗?

是的,Ms Todo Oauth 完全免费(开源免费),可自由下载、安装和使用。

Ms Todo Oauth 支持哪些平台?

Ms Todo Oauth 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。

谁开发了 Ms Todo Oauth?

由 nathanatgit(@nathanatgit)开发并维护,当前版本 v1.0.4。

推荐 Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191113 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 留言讨论