Your agent reads Teams chats, posts to channels, searches everything. One stolen token. 90 days per browser tap.
Security Analysis
medium confidenceThe skill's code and instructions match its stated purpose (extract a Teams/MSAL refresh token from the browser and use it to read/send Teams messages via Microsoft Graph); it is internally coherent but requests highly sensitive long‑lived credentials and should only be used if you trust the source.
Name/description, SKILL.md, and the included Node script all describe the same capability: extract an MSAL refresh token from Teams browser localStorage, store it at ~/.openclaw/credentials/outlook-msal.json, refresh to obtain Graph access tokens, and call Graph API endpoints (chats, channels, users, presence, calendar). No unrelated services, env vars, or binaries are requested.
Runtime instructions explicitly direct the agent to run JavaScript in the Teams browser tab to read localStorage keys and then to store the refresh token locally. The code reads/writes only the shared credential file and calls Microsoft Graph endpoints. There is no instruction to read unrelated system files or exfiltrate data to third‑party endpoints.
No install spec or external downloads are used; the skill is instruction-only plus an included Node.js script. The script is self-contained and has no network pulls of arbitrary code. This is the lower-risk install pattern for skills.
The skill does not request environment variables, but it requires extracting and persisting a browser MSAL refresh token — a highly sensitive, long‑lived credential that grants broad Graph access. That credential is directly proportional to the stated capability (accessing Teams), but it is high‑privilege: the SKILL.md and script persist it to ~/.openclaw/credentials/outlook-msal.json and auto‑rotate it on use (90+ days of refreshable access). Users should treat this as granting long‑lasting access equivalent to stealing a session.
The skill writes its own credential file (~/.openclaw/credentials/outlook-msal.json) with 0600 permissions and does not modify other skills or system-wide settings. It is not always: true. However, because the platform allows autonomous invocation by default, giving this skill the ability to run and access the browser plus that stored refresh token increases its blast radius — consider the implications before enabling autonomous runs.
Guidance
This skill does exactly what it claims: it asks you (or the agent via a browser relay) to extract a Microsoft Teams/MSAL refresh token from browser localStorage and save it locally so the CLI/script can call Microsoft Graph to read/send chats and other Org data. That flow is coherent but extremely sensitive because a refresh token grants long-lived access across Microsoft Graph and can be reused for weeks/months. Before installing or using this skill: 1) Only proceed if you fully trust the skill's author and host environment. 2) Prefer official OAuth flows and short‑lived access tokens where possible; avoid manual extraction of refresh tokens when you can. 3) If you extract a token, be prepared to rotate/revoke it immediately afterward (Azure AD sign‑in sessions, revoke refresh tokens, reset credentials) and delete ~/.openclaw/credentials/outlook-msal.json when finished. 4) Disable autonomous invocation (or restrict when the skill can run) if you do not want the agent to run this without explicit user consent. 5) If you are evaluating this for use in an organization, consult your security team — capturing a browser refresh token and storing it on disk is the equivalent of giving broad Graph access and may violate policy or require conditional‑access controls.
Latest Release
v1.0.1
Rename fork refs → tinkerclaw
More by @globalcaos
Published by @globalcaos on ClawHub
