by 安全扫描
OpenClaw
安全
high confidenceThe skill's instructions and requirements are consistent with a wrapper for the third-party m365-cli tool to manage a personal Microsoft account; nothing requested is disproportionate to that purpose.
评估建议
This skill is a set of instructions to use the third-party m365-cli tool. Before installing or using it: 1) Verify the npm package and GitHub repo (mrhah/m365-cli) to ensure you trust the publisher; 2) Understand that m365 login stores OAuth tokens locally and requests offline_access (refresh tokens) — use m365 logout to clear them when done; 3) The agent will run shell commands and may read/write files you instruct it to attach or download, so avoid attaching sensitive files unless necessary; 4...详细分析 ▾
ℹ 用途与能力
The SKILL.md explicitly documents use of the m365-cli to manage personal Outlook/OneDrive/Calendar and the listed commands match that purpose. Minor inconsistency: registry metadata reported no required binaries/install, whereas the SKILL.md declares required-binary: m365 and gives an npm install command — but this is plausibly an authoring omission rather than malicious.
✓ 指令范围
Instructions are limited to running the m365 CLI for mail/calendar/OneDrive operations, using --json for structured output, and authenticating via the CLI's device-code flow. The instructions do reference reading/writing local files only where appropriate (attachments, uploads, downloads). They do not ask the agent to read unrelated system files or to exfiltrate data to unexpected endpoints.
ℹ 安装机制
This is an instruction-only skill (no install spec in registry), but the SKILL.md tells the user to run `npm install -g m365-cli`. Installing a third-party npm package is a normal, moderate-risk action; the skill itself will not silently download code because it contains no install script. Users should verify the npm package and GitHub repo referenced in SKILL.md before installing.
✓ 凭证需求
No sensitive environment variables are required by the skill. Authentication is performed interactively via m365 login (device-code flow) and the CLI requests typical scopes for mail, calendar, and files (including offline_access for refresh tokens) — this is expected for a persistent client that manages email/OneDrive.
✓ 持久化与权限
The skill is not forced-always and has default autonomous invocation allowed. The only persistence implication is that the m365 CLI stores authentication tokens locally (standard for OAuth CLI tools); the skill itself does not request system-wide config changes or other skills' credentials.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.1.02026/3/6
Trim description to concise summary
● 无害
安装命令
点击复制官方npx clawhub@latest install outlookcli
镜像加速npx clawhub@latest install outlookcli --registry https://cn.longxiaskill.com