📦 Ms365 Tenant Manager — M365租户管理
v2.1.1面向全局管理员的 Microsoft 365 租户管理工具,可自动化完成租户初始化、Office 365 运维、Azure AD 用户与组管理、Exchange Online 配置等常见任务,一站式简化企业级云办公环境部署与维护。
0· 1.2k·5 当前·5 累计
by 下载技能包
最后更新
2026/4/22
安全扫描
OpenClaw
可疑
medium confidenceNULL
评估建议
This skill contains ready-to-run PowerShell and Python generators that will create and execute high-privilege Microsoft 365 actions. Before installing or using it: (1) only use in a non-production/test tenant first and review every generated script; (2) do not grant Global Admin or broad Graph scopes to untrusted code — prefer a least-privilege app registration with only required permissions or use managed identities/secure vaults; (3) remove or avoid examples that embed client secrets or use pl...详细分析 ▾
ℹ 用途与能力
The name, description, SKILL.md and included scripts all align: this is a Microsoft 365 tenant administration tool that generates PowerShell for tenant setup, CA policies, licensing, audit and user lifecycle. That capability legitimately requires high-privilege credentials (Global Admin or an appropriately permissioned app). The metadata, however, declares no required environment variables or primary credential — an omission that reduces transparency but does not by itself contradict the purpose.
⚠ 指令范围
SKILL.md and the included PowerShell templates direct the agent/operator to run high-privilege Graph and Exchange cmdlets (Connect-MgGraph with wide scopes, New-MgIdentityConditionalAccessPolicy, Set-MgUserLicense, Revoke tokens, etc.). Those commands are coherent with the stated purpose, but the instructions and troubleshooting docs also show examples that encourage embedding clientId/clientSecret and using ConvertTo-SecureString with plaintext secrets — an insecure practice that could lead to credential exposure. The skill references local files (CSV inputs) and does not call external endpoints beyond Microsoft APIs, so there is no explicit data exfiltration endpoint, but the agent will need tenant credentials to perform most actions.
✓ 安装机制
There is no install spec (instruction-only behavior) and the package contains local Python script generators and documentation. Nothing is downloaded or executed from arbitrary remote URLs, and no package managers are invoked. This is lower-risk from an install-perspective, but the included code will generate and run PowerShell that acts on a live tenant.
⚠ 凭证需求
The skill performs operations that require Global Administrator or high privilege application permissions (Directory.ReadWrite.All, Policy.ReadWrite.ConditionalAccess, User.ReadWrite.All, ExchangeOnline). That level of access is proportionate to the functionality — but the skill declares zero required environment variables or primary credential, giving no explicit guidance on how to supply credentials safely. Additionally, the docs show insecure examples for application authentication (clientSecret assigned from plaintext), increasing the risk of credential leakage if users follow them.
ℹ 持久化与权限
The skill is not forced-always (always:false) and uses the default model-invocation behavior (agent may invoke autonomously). Autonomous invocation combined with high-privilege actions increases potential blast radius if the agent is allowed to act without human control. This combination is not flagged as outright malicious by itself, but you should treat autonomous runs with extra caution for admin-capable skills.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv2.1.12026/2/7
NULL
● 可疑
安装命令
点击复制官方npx clawhub@latest install ms365-tenant-manager
镜像加速npx clawhub@latest install ms365-tenant-manager --registry https://cn.longxiaskill.com