by 安全扫描
OpenClaw
安全
high confidenceThe skill's code and instructions are internally consistent with its stated purpose (reading a Microsoft 365 Outlook calendar) but it requires you to store plaintext credentials and will save cookies/tokens under ~/.outlook, which is sensitive and deserves caution.
评估建议
This skill appears to implement what it claims, but before installing you should: (1) only install if you trust the skill source (origin is unknown); (2) review the included Python files yourself — they will handle your password, cookies, and tokens; (3) prefer an OAuth/delegated access approach if your org supports it instead of giving raw credentials; (4) if you must use it, create ~/.outlook/config.json with minimum-privilege account, set file permissions (chmod 600) and limit who can read th...详细分析 ▾
✓ 用途与能力
Name/description (read M365 Outlook calendar) match the included code and instructions: login.py automates a browser login (MFA number match) and owa_calendar.py extracts a Bearer token and calls the OWA calendar API. Requested binary (python3) and use of Playwright/requests are appropriate for this scraping+API approach.
ℹ 指令范围
SKILL.md explicitly instructs the user to create ~/.outlook/config.json containing email/password and to run login.py and owa_calendar.py. The runtime instructions are narrowly focused on authentication and calendar retrieval and only reference files in ~/.outlook and the skill directory. This is coherent, but the instructions require creation and persistent storage of sensitive credentials and cookies on the host.
ℹ 安装机制
There is no automatic installer in the registry (instruction-only), but SKILL.md tells users to pip install playwright and requests and to run playwright install chromium. These are common packages and an expected approach for Playwright automation, but they will install a browser runtime (Chromium) and pull code from PyPI — a normal but non-trivial setup step.
ℹ 凭证需求
The skill does not ask for environment variables, but it does require you to supply your full email and password in plaintext in ~/.outlook/config.json, plus it creates cookies.json and token.json (Bearer token) and a login_status.txt. These artifacts are necessary for the implemented method but are sensitive: storing credentials and tokens locally increases exposure risk compared with an OAuth-based delegated-token flow.
✓ 持久化与权限
always is false and the skill does not modify other skills or system-wide agent settings. It writes its own state to ~/.outlook (config, cookies, token, status). That is normal for this kind of skill, but those files should be protected and you should be aware the skill will reuse cached tokens and cookies until they expire.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.0.02026/2/27
Microsoft 365 Outlook日历读取:MFA登录+Token缓存+OWA REST API,敏感信息存~/.outlook/
● 可疑
安装命令
点击复制官方npx clawhub@latest install ilove323-outlook-calendar
镜像加速npx clawhub@latest install ilove323-outlook-calendar --registry https://cn.longxiaskill.com镜像同步中