Code Pluginsource linked

Msteamsv2026.5.26-cn.9

OpenClaw Microsoft Teams channel plugin (China cloud custom build)

openclaw-msteams-cn·runtime msteams-cn·by @hermes-openclaw

Community code plugin. Review compatibility and verification before install.

openclaw plugins install clawhub:openclaw-msteams-cn

Latest release: v2026.5.26-cn.9Download zip

Capabilities

Compatibility

Built With Open Claw Version

2026.5.26

Min Gateway Version

>=2026.4.10

Plugin Api Range

>=2026.5.22

Security Scan

VirusTotal

Benign

View report →

OpenClaw

Suspicious

high confidence

Purpose & Capability

The Teams-channel purpose is coherent, but the plugin exposes more than message delivery: read/search history, edit/delete, pin/unpin, reactions, channel/member lookup, add/remove participants, and rename group actions through Graph-backed handlers.

Instruction Scope

Sensitive message and group-management actions are advertised whenever Teams credentials are configured; the artifact includes allow/deny policy fields, but these high-impact actions are not separated into an explicit opt-in surface by default.

ℹ

Install Mechanism

The package is a normal npm pack with no install lifecycle scripts found, but it is not a trusted @openclaw package and metadata shows source-linked rather than provenance-backed verification.

Credentials

Microsoft Teams app credentials, Graph access, a webhook listener, and authenticated attachment/file flows are broadly proportional to a Teams plugin, but the resulting authority can affect tenant messages, files, chats, and membership.

Persistence & Privilege

The plugin persists local Teams state such as conversation references and pending uploads, and optional delegated OAuth stores access/refresh tokens in a private file store; failed delegated setup can still leave delegatedAuth enabled in config.

Scan Findings in Context

[SDI-2] unexpected: The broad Graph action set is artifact-backed and partly related to a rich Teams integration, but add/remove participant, rename, delete, read, and search capabilities are high-impact and not separately gated by default.

[SDI-2] expected: Authenticated attachment fetching is expected for Teams files; the artifact uses host allowlists, HTTPS checks, redirect validation, and authorization stripping, which materially reduces the token-forwarding concern.

[SDI-4] expected: The display-name approval concern is not supported by production code reviewed: approval normalization accepts stable Teams/AAD-style user IDs and rejects display-name allowlist entries, although the included test source appears inconsistent or malformed.

[SDI-4] expected: The China-cloud mismatch is limited: core constants point to China cloud, and global Graph roots are mainly accepted for nextLink normalization compatibility; this is a note rather than evidence of exfiltration.

[SDI-2] expected: Probe output exposes roles, scopes, and delegated user principal status for diagnostics; that is useful for setup but should be treated as sensitive admin-visible metadata.

[SDI-2] unexpected: Delegated OAuth is optional and prompted, but it persists refresh-capable delegated tokens with Chat.ReadWrite/offline_access-style authority, which is a material privilege boundary expansion.

[SDI-4] unexpected: The setup flow sets delegatedAuth enabled before token acquisition completes, leaving a misleading configured state if OAuth fails, though later token resolution falls back rather than directly bypassing authentication.

What to consider before installing

Install only if you intend this agent to operate with broad Microsoft Teams/Graph authority. Review requested Azure/Graph permissions, restrict Teams senders and groups with allowlists, use tool allow/deny policies to disable admin actions you do not need, and treat delegated OAuth as sensitive because it persists refresh-capable user tokens. VirusTotal telemetry was clean and no artifact-backed malicious behavior was found, but the privilege surface is large enough to warrant review.

✗

dist/src/attachments/graph.js:113