ClawHub
Code Pluginsource linkedVerified

Microsoft Teamsv2026.5.28

OpenClaw Microsoft Teams channel plugin for bot conversations.

@openclaw/msteams·runtime msteams·by @openclaw
openclaw plugins install clawhub:@openclaw/msteams
Latest release: v2026.5.28Download zip

Capabilities

Tags
executes-codechannel:msteamssetupartifact:npm-packnpm-mirror:available
Channels
msteams
configSchema
Yes
Executes code
Yes
HTTP routes
0
Runtime ID
msteams
Setup entry
Yes

Compatibility

Built With Open Claw Version
2026.5.28
Min Gateway Version
>=2026.4.10
Plugin Api Range
>=2026.5.28
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The package is an official @openclaw/msteams channel plugin for Teams bot conversations; Teams messaging, file upload, Graph access, delegated auth, SSO, edit/delete, and group actions fit that purpose.
Instruction Scope
High-impact channel actions are exposed, but the artifact shows explicit action names, required targets, setup prompts, allowlist/group/DM policy configuration, and no hidden unrelated instructions.
Install Mechanism
The package is source-linked to openclaw/openclaw, has no npm lifecycle scripts in package.json, declares a Teams channel plugin manifest, and VirusTotal telemetry is clean.
Credentials
The plugin uses Microsoft credentials, Graph/Teams network calls, webhook handling, and host-mediated local media reads; these are proportionate for a Teams integration but require careful admin configuration.
Persistence & Privilege
Delegated OAuth and SSO tokens can be persisted in the plugin state directory when those features are enabled; this is sensitive but opt-in/purpose-aligned rather than hidden or unrelated.
Scan Findings in Context
[SDI-2] expected: The delegated OAuth flow is optional in setup, uses Microsoft OAuth consent, and stores tokens to support delegated Teams/Graph operations; the risk is real but aligned with the channel plugin’s purpose.
[SQP-2] expected: The upload-file path supports sending user-selected local media to Teams and passes through the host mediaLocalRoots/mediaReadFile mechanism rather than directly reading arbitrary files in this artifact.
[SQP-2] expected: The setup flow saves delegated tokens after the user enables delegated auth; clearer storage and revocation disclosure would help, but this does not show deception or purpose mismatch.
[SQP-2] expected: The SSO token store persists per-user Bot Framework OAuth tokens only when SSO is configured, matching the documented in-code purpose of enabling delegated Graph use across turns.
Assessment
Install only if you intend to let OpenClaw operate Microsoft Teams on your behalf. Configure the narrowest Teams/Graph scopes and allowlists you can, enable delegated auth or SSO only when needed, protect the OpenClaw state directory because it may contain tokens, and revoke Microsoft consent/delete plugin state if access should be removed.
dist/errors-DZGI_mqq.js:660
File appears to expose a hardcoded API secret or token.
dist/oauth-ei63gdyS.js:83
File appears to expose a hardcoded API secret or token.
dist/oauth.token-BKzEFepQ.js:33
File appears to expose a hardcoded API secret or token.
dist/setup-surface-C9IApOv3.js:504
File appears to expose a hardcoded API secret or token.
dist/src-D_rcW2Zm.js:490
File appears to expose a hardcoded API secret or token.
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Verification

Tier
source linked
Scope
artifact only
Summary
Validated package structure and linked the release to source metadata.
Source
github.com/openclaw/openclaw
Commit
e93216080aa1
Tag
refs/heads/release/2026.5.28
Provenance
No
Scan status
clean

Tags

alpha
2026.5.19-alpha.1
beta
2026.6.1-beta.1
latest
2026.5.28