← 返回 Skills 市场

Microsoft 365 Email & Calendar

Name: Microsoft 365 Email & Calendar
Author: droba07

作者 Roman Matyuschenko · GitHub ↗ · v1.2.0 · MIT-0

cross-platform ⚠ suspicious

158

总下载

当前安装

版本数

在 OpenClaw 中安装

/install ms365-mail-calendar

功能描述

Microsoft 365 Email & Calendar CLI via Microsoft Graph API. Supports multiple accounts.

使用说明 (SKILL.md)

ms365

Microsoft 365 CLI for Email & Calendar via Graph API. Multi-account support.

Setup (once per account)

Register app in Azure Portal → App registrations → New → Public client (mobile & desktop)
Enable "Allow public client flows" (Device Code Flow)
API permissions: Mail.Read, Mail.Send, Calendars.ReadWrite, User.Read
Set env: MICROSOFT_CLIENT_ID=\x3Cyour-app-id> and optionally MICROSOFT_TENANT_ID
Run: node skills/ms365/index.js --account work login

Commands

Login: node index.js --account work login
Who am I: node index.js --account work whoami
Inbox: node index.js --account work mail inbox --top 10
Unread: node index.js --account work mail unread
Read: node index.js --account work mail read \x3Cid>
Send: node index.js --account work mail send --to [email protected] --subject "Hi" --body "Hello"
Search: node index.js --account work mail search "invoice"
Calendar: node index.js --account work calendar --from 2026-04-14T00:00:00Z --to 2026-04-14T23:59:59Z
Create event: node index.js --account work calendar-create --subject "Meeting" --start 2026-04-15T10:00 --end 2026-04-15T11:00

Multi-account

Use --account \x3Cname> to switch. Each account has separate tokens stored in ~/.openclaw/credentials/.

Notes

Device Code Flow — authenticate in browser, no secrets stored
Tokens auto-refresh
Confirm before sending emails

安全使用建议

This skill appears to do what it says: it uses the OAuth device-code flow and Microsoft Graph to read/send mail and manage calendars. Before installing: (1) create and use a dedicated Azure app (MICROSOFT_CLIENT_ID) rather than your organization's sensitive app id; (2) be aware the skill saves OAuth tokens (including refresh_token) to ~/.openclaw/credentials with 0600 file permissions — treat those files as sensitive and delete or rotate tokens if you remove the skill; (3) the code will load ~/.openclaw/credentials/ms365.env if present, so don't place unrelated secrets there; (4) inspect the included files yourself (they're small and readable) or run the skill in a sandbox if you have concerns; (5) note the SKILL.md wording that "no secrets stored" is inaccurate — it means no client secret is required, but tokens are stored locally.

功能分析

Type: OpenClaw Skill Name: ms365-mail-calendar Version: 1.2.0 The skill bundle provides a legitimate CLI for interacting with Microsoft 365 Email and Calendar via the Microsoft Graph API. It implements the standard OAuth2 Device Code Flow for authentication and follows security best practices by storing tokens with restricted file permissions (0o600) in the user's home directory. No evidence of data exfiltration, malicious execution, or prompt injection was found across the codebase (index.js, src/api.js, src/auth.js).

能力标签

requires-oauth-tokenrequires-sensitive-credentials

能力评估

✓ Purpose & Capability

Name/description ask for node and a Microsoft client ID and the code implements Microsoft Graph calls (mail/calendar) and device-code authentication — these requirements are appropriate and expected.

ℹ Instruction Scope

SKILL.md describes device code flow and commands that map directly to the code. However the docs state "no secrets stored" which is misleading: the skill persists OAuth tokens (including refresh_token) to disk under ~/.openclaw/credentials. The skill also references running node from the skill directory as instructions indicate.

✓ Install Mechanism

No install/downloads or external installers; the skill is instruction + local Node code with no declared external package installs. This is low risk from an install mechanism perspective.

ℹ Credentials

Only MICROSOFT_CLIENT_ID (and optionally MICROSOFT_TENANT_ID) are required, which is proportional. The code will also read ~/.openclaw/credentials/ms365.env if present and inject uppercase vars into process.env, and it writes tokens to ~/.openclaw/credentials/ms365.tokens.<account>.json — these behaviors are reasonable but mean secrets (access/refresh tokens) are stored locally and any ms365.env placed there may be loaded.

✓ Persistence & Privilege

always is false and the skill does not modify other skills or system settings. It persists its own tokens/config under ~/.openclaw/credentials, which is expected for multi-account CLI behavior.

如何使用

确保已安装 OpenClaw（本地或 Docker 部署）
在对话框中输入安装命令：/install ms365-mail-calendar
安装完成后，直接呼叫该 Skill 的名称或使用 /ms365-mail-calendar 触发
根据 Skill 的参数说明提供必要输入，即可获得结构化输出

版本历史

v1.2.0

inbox/unread/search show [index] + message ID; mail read accepts index (1,2,3) or no arg for latest; attachments listed with name/size on read

v1.1.0

Add check-unread.js standalone wrapper for cron use; fix exec preflight issue with arguments

v1.0.0

Initial release: email + calendar via Graph API, multi-account support, device code flow auth

元数据

Slug ms365-mail-calendar

版本 1.2.0

许可证 MIT-0

累计安装 0

当前安装数 0

历史版本数 3

常见问题