Is danielithomas/officeclaw safe?

SKILL.md states 'OfficeClaw ships with a default app registration — just run officeclaw auth login and go. No Azure setup needed.' This means the OFFICECLAW_CLIENT_ID baked into the PyPI package belongs to an Azure app registration controlled by Daniel Thomas (or whoever controls the package). Users who follow the quickstart path authenticate their Microsoft accounts to a third-party controlled Azure app. The author can observe all authentication events, app consent grants, and token refresh activity through their Azure portal. There is no mechanism for the user to verify the author's intent or that the app's permissions have not changed.

The entire implementation — OAuth device code flow, token acquisition, token caching to ~/.officeclaw/token_cache.json, and all Microsoft Graph API calls — resides in the officeclaw PyPI package, which is outside the scope of this skill audit. A supply chain compromise (malicious package version, typosquatting, maintainer account takeover) would give an attacker bearer tokens with Mail.Read, Mail.ReadWrite, Mail.Send, Calendars.ReadWrite, and Tasks.ReadWrite scopes against the user's personal Microsoft account. The package was not installed or executed during this audit, so its runtime behavior was not observed.

If a user installs this skill and the officeclaw PyPI package is malicious or compromised, the attacker gains: (1) all stored email content via Mail.Read, (2) ability to send email as the user via Mail.Send, (3) full calendar visibility and modification, (4) task list access. A sophisticated attacker could use email access to conduct business email compromise, intercept password reset flows, or harvest credentials from email content. The default app registration also means users who don't configure their own client ID have an ongoing dependency on the author's Azure infrastructure.

The installation instructions specify 'pip install officeclaw' without any version pin or hash verification. This means each installation fetches the latest published version, providing no stability or supply chain integrity guarantee. A malicious actor who gains control of the PyPI package account could publish a backdoored version that would be silently installed by new users following the skill's instructions.

The skill discloses the exact token cache path (~/.officeclaw/token_cache.json, permissions 600). If an attacker gains any local file read capability through another skill or tool, they can steal these cached tokens and replay them to access the user's Microsoft account without requiring re-authentication for the token lifetime.

The 'Guidelines for Agents' section includes 'Respect privacy: Don't log email content.' While the stated intent is privacy protection, this instruction could suppress agent audit trails for email access operations, making it harder to detect if the skill is being used to silently exfiltrate email data. A well-designed skill in a security-sensitive environment should not discourage audit logging.

An ARP neighbor lookup (ip neigh show) was executed at audit record #5536 during the install window. Attribution is ambiguous — the command is sandwiched between oathe framework git operations and no data exfiltration followed. Most likely platform monitoring behavior. Noted for completeness.

SKILL.md declares version '1.0.1' in its frontmatter, while _meta.json reports the latest version as '1.0.2'. This minor inconsistency suggests either the audit captured a stale SKILL.md or there are metadata synchronization issues in the skill's release process.