Back to plugin

Security audit

OpenClaw Microsoft Teams

Security checks across malware telemetry and agentic risk

Overview

This Teams plugin appears functional, but it gives agents broad Microsoft Graph powers including chat search, message reads, participant changes, and group renaming.

Install only if you intend to let OpenClaw operate with broad Microsoft Teams and Graph authority. Before enabling it in a tenant, restrict Graph permissions to the exact features you need, keep groupPolicy and dmPolicy allowlisted, disable or deny administrative actions unless explicitly required, and treat persisted delegated tokens as sensitive credentials.

VirusTotal

61/61 vendors flagged this plugin as clean.

View on VirusTotal

Static analysis

Detected: suspicious.exposed_secret_literal

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
dist/src/attachments/bot-framework.js:35
Evidence
bearerToken: [REDACTED],

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
dist/src/attachments/graph.js:112
Evidence
accessToken: [REDACTED],

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
dist/src/graph.js:150
Evidence
clientSecret: [REDACTED],

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
dist/src/oauth.js:47
Evidence
clientSecret: [REDACTED],

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
dist/src/oauth.token.js:11
Evidence
client_secret: [REDACTED],

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
dist/src/sdk.js:74
Evidence
clientSecret: [REDACTED],

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
dist/src/setup-surface.js:227
Evidence
clientSecret: [REDACTED],

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
dist/src/token.js:110
Evidence
clientSecret: [REDACTED],

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
src/attachments/bot-framework.ts:67
Evidence
bearerToken: [REDACTED],

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
src/attachments/graph.ts:189
Evidence
accessToken: [REDACTED],

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
src/graph.ts:245
Evidence
clientSecret: [REDACTED],

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
src/oauth.token.ts:32
Evidence
client_secret: [REDACTED],

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
src/oauth.ts:77
Evidence
clientSecret: [REDACTED],

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
src/sdk.ts:313
Evidence
clientSecret: [REDACTED],

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
src/setup-surface.ts:297
Evidence
clientSecret: [REDACTED],

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
src/token.ts:186
Evidence
clientSecret: [REDACTED],