Pluginv2026.3.22

ClawScan security

Msteams · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 23, 2026, 9:58 PM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: This package is a Microsoft Teams (Bot Framework / Graph) channel plugin whose code, dependencies, and network behavior are consistent with its stated purpose, though metadata omits explicit declarations about the credentials/config it expects.
Guidance: This plugin appears to be a legitimate Microsoft Teams channel integration. Before installing: (1) confirm you will provide Microsoft Bot credentials (appId, appPassword, tenantId) in OpenClaw's channel configuration (the package does not declare env vars but the code expects these credentials), (2) only enable it in environments where outbound network access to graph.microsoft.com and SharePoint/consent URLs is permitted and acceptable, and (3) review where the plugin will store conversation references or uploaded files (in-memory or filesystem) and ensure those locations and retention policies meet your security/privacy requirements. If you need the host to supply credentials via environment variables rather than channel config, plan for secure secret provisioning; otherwise verify the OpenClaw channel config is used and protected. If you want higher assurance, request the publisher to declare required config/secret fields in the plugin metadata so installers don't miss them.

Review Dimensions

Purpose & Capability: noteThe name/description match the implementation: the code integrates with Microsoft Bot Framework and Microsoft Graph (uploads, downloads, chat resolution, file consent flows). Declared npm dependencies (@microsoft/agents-hosting, express, uuid) are appropriate. Minor mismatch: registry metadata lists no required env vars or config paths, but the runtime code and tests clearly expect channel configuration (appId, appPassword, tenantId, webhook config) to be provided via the host OpenClaw config rather than environment variables.
Instruction Scope: okThe SKILL.md content is effectively the package.json/openclaw metadata and does not instruct the agent to read arbitrary local files or secrets. The source code performs network operations (Graph API, SharePoint, consent upload URLs) and local conversation storage (memory/fs variants) which are expected for a Teams channel implementation. The code includes SSRF allowlist checks and file upload consent handling.
Install Mechanism: okNo install spec was provided in the registry entry (instruction-only), but the package contains normal node module files and a package.json. There is no external arbitrary download or obscure install URL. Dependencies are standard npm packages.
Credentials: noteThe registry metadata declares no required environment variables or primary credential, but the implementation requires Microsoft bot credentials and tenant/webhook configuration (e.g., appId/appPassword/tenantId) supplied via host OpenClaw configuration. This is a proportional need for a Teams integration, but the omission in declared requirements means the host or installer must know to provide those secrets via the OpenClaw channel config rather than env vars.
Persistence & Privilege: okThe skill does not request always:true and does not attempt to modify other skills or system-wide settings. It stores conversation references and supports file-backed stores (conversation-store-fs, store-fs) which is expected for proactive messaging; those are limited to the plugin's own storage.