by 安全扫描
OpenClaw
可疑
medium confidenceThe code and SKILL.md implement a full Microsoft 365 integration that legitimately needs high‑privilege Azure app credentials, but the registry metadata does not declare those credentials or environment requirements — an important mismatch you should resolve before installing.
评估建议
This package appears to be a real Microsoft 365 integration, but there are important mismatches and high‑risk requirements you must be aware of before installing:
- The SKILL.md and code require Azure AD app credentials (M365_TENANT_ID, M365_CLIENT_ID, M365_CLIENT_SECRET) and request application-level Graph permissions (Mail.*, Sites.ReadWrite.All, Files.ReadWrite.All, Tasks.ReadWrite). Those are powerful permissions that require admin consent and allow broad access to mail, files and planner d...详细分析 ▾
ℹ 用途与能力
The skill's name, README, SKILL.md and source files consistently implement Email, SharePoint, OneDrive, Planner and webhook functionality via Microsoft Graph. Those capabilities legitimately require an Azure AD app and Graph permissions (Mail.*, Sites.ReadWrite.All, Files.ReadWrite.All, Tasks.ReadWrite, etc.). However the registry metadata lists no required environment variables or primary credential, which contradicts the SKILL.md and code that expect M365_TENANT_ID, M365_CLIENT_ID, M365_CLIENT_SECRET and other config.
✓ 指令范围
The SKILL.md instructs installing via npm, setting M365_* env vars, and using createM365Client. Runtime instructions and scripts focus on Graph operations (sending emails, uploading files, managing webhooks, processing invoices). I did not find instructions that ask the agent to read unrelated system files, external personal credentials, or send data to unknown third‑party endpoints (all network calls are to Microsoft Graph or user-supplied webhook URLs).
ℹ 安装机制
Registry lists no install spec but the package includes package.json and Node code; installation requires running npm install (pulling @microsoft/microsoft-graph-client, axios, dotenv). This is a common/expected install method for Node skills but it does execute third‑party npm packages — moderate risk compared to instruction-only skills. There are no direct downloads from arbitrary URLs in the manifest.
⚠ 凭证需求
The skill requires app-only Azure AD credentials (tenant/client id and client secret) and requests broad Graph application permissions (Sites.ReadWrite.All, Files.ReadWrite.All, Mail.ReadWrite, Mail.Send, Tasks.ReadWrite). Those permissions are proportionate to the described features, but the registry metadata does not declare any required env vars or a primary credential — this omission prevents proper consent/approval gating and makes it easy to overlook the high privilege level when installing. Also the repo includes a .clawhub/config.json file (contents not shown) — check it for embedded secrets.
✓ 持久化与权限
The skill is not marked always:true and does not request system‑wide modifications. It provides webhook management (which requires exposing/receiving HTTP notifications) and includes interactive setup scripts; these are expected for a webhook-enabled integration. Autonomous invocation is allowed by default (disable-model-invocation:false), which increases blast radius if credentials are granted — combine this with the high Graph privileges when evaluating risk.
⚠ scripts/process-invoice-with-ocr.js:57
Shell command execution detected (child_process).
⚠ scripts/manage-webhooks.js:31
Environment variable access combined with network send.
⚠ scripts/process-invoice-email.js:32
Environment variable access combined with network send.
⚠ scripts/process-invoice-with-ocr.js:160
Environment variable access combined with network send.
⚠ scripts/test-connection.js:15
Environment variable access combined with network send.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.1.02026/4/20
m365-unified 1.1.0 - Adds unified Microsoft 365 integration for OpenClaw, including Email, SharePoint, OneDrive, and Planner support. - Introduces new features: webhook notifications and automated invoice processing. - Includes scripts for testing connection, processing invoice emails, and listing SharePoint sites. - Updated configuration and permission guidelines for enhanced setup and security. - Comprehensive skill documentation added for easier usage and deployment.
● 无害
安装命令
点击复制官方npx clawhub@latest install m365-unified
镜像加速npx clawhub@latest install m365-unified --registry https://cn.longxiaskill.com镜像同步中