{ "schemaVersion": "1.0", "item": { "slug": "outlook-delegate", "name": "Outlook Delegate", "source": "tencent", "type": "skill", "category": "效率提升", "sourceUrl": "https://clawhub.ai/87Marc/outlook-delegate", "canonicalUrl": "https://clawhub.ai/87Marc/outlook-delegate", "targetPlatform": "OpenClaw" }, "install": { "downloadMode": "redirect", "downloadUrl": "/downloads/outlook-delegate", "sourceDownloadUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=outlook-delegate", "sourcePlatform": "tencent", "targetPlatform": "OpenClaw", "installMethod": "Manual import", "extraction": "Extract archive", "prerequisites": [ "OpenClaw" ], "packageFormat": "ZIP package", "includedAssets": [ "SKILL.md", "_meta.json", "scripts/outlook-calendar.sh", "scripts/outlook-mail.sh", "scripts/outlook-token.sh", "references/setup.md" ], "primaryDoc": "SKILL.md", "quickSetup": [ "Download the package from Yavira.", "Extract the archive and review SKILL.md first.", "Import or place the package into your OpenClaw setup." ], "agentAssist": { "summary": "Hand the extracted package to your coding agent with a concrete install brief instead of figuring it out manually.", "steps": [ "Download the package from Yavira.", "Extract it into a folder your agent can access.", "Paste one of the prompts below and point your agent at the extracted folder." ], "prompts": [ { "label": "New install", "body": "I downloaded a skill package from Yavira. Read SKILL.md from the extracted folder and install it by following the included instructions. Tell me what you changed and call out any manual steps you could not complete." }, { "label": "Upgrade existing", "body": "I downloaded an updated skill package from Yavira. Read SKILL.md from the extracted folder, compare it with my current installation, and upgrade it while preserving any custom configuration unless the package docs explicitly say otherwise. Summarize what changed and any follow-up checks I should run." } ] }, "sourceHealth": { "source": "tencent", "status": "healthy", "reason": "direct_download_ok", "recommendedAction": "download", "checkedAt": "2026-04-30T16:55:25.780Z", "expiresAt": "2026-05-07T16:55:25.780Z", "httpStatus": 200, "finalUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=network", "contentType": "application/zip", "probeMethod": "head", "details": { "probeUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=network", "contentDisposition": "attachment; filename=\"network-1.0.0.zip\"", "redirectLocation": null, "bodySnippet": null }, "scope": "source", "summary": "Source download looks usable.", "detail": "Yavira can redirect you to the upstream package for this source.", "primaryActionLabel": "Download for OpenClaw", "primaryActionHref": "/downloads/outlook-delegate" }, "validation": { "installChecklist": [ "Use the Yavira download entry.", "Review SKILL.md after the package is downloaded.", "Confirm the extracted package contains the expected setup assets." ], "postInstallChecks": [ "Confirm the extracted package includes the expected docs or setup files.", "Validate the skill or prompts are available in your target agent workspace.", "Capture any manual follow-up steps the agent could not complete." ] }, "downloadPageUrl": "https://openagent3.xyz/downloads/outlook-delegate", "agentPageUrl": "https://openagent3.xyz/skills/outlook-delegate/agent", "manifestUrl": "https://openagent3.xyz/skills/outlook-delegate/agent.json", "briefUrl": "https://openagent3.xyz/skills/outlook-delegate/agent.md" }, "agentAssist": { "summary": "Hand the extracted package to your coding agent with a concrete install brief instead of figuring it out manually.", "steps": [ "Download the package from Yavira.", "Extract it into a folder your agent can access.", "Paste one of the prompts below and point your agent at the extracted folder." ], "prompts": [ { "label": "New install", "body": "I downloaded a skill package from Yavira. Read SKILL.md from the extracted folder and install it by following the included instructions. Tell me what you changed and call out any manual steps you could not complete." }, { "label": "Upgrade existing", "body": "I downloaded an updated skill package from Yavira. Read SKILL.md from the extracted folder, compare it with my current installation, and upgrade it while preserving any custom configuration unless the package docs explicitly say otherwise. Summarize what changed and any follow-up checks I should run." } ] }, "documentation": { "source": "clawhub", "primaryDoc": "SKILL.md", "sections": [ { "title": "Outlook Delegate Skill", "body": "Access another user's Outlook/Microsoft 365 email and calendar as a delegate via Microsoft Graph API. Supports three sending modes: as yourself, as the owner, or on behalf of the owner." }, { "title": "Delegate Architecture", "body": "This skill is designed for scenarios where:\n\nYour AI assistant (the delegate) has its own Microsoft 365 account\nThe owner has granted the assistant delegate access to their mailbox/calendar\nThe assistant can send emails as itself, as the owner, or on behalf of the owner" }, { "title": "Sending Modes Explained", "body": "All three modes use the same Graph API call (/users/{delegate}/sendMail with the from field set). The difference between Send As and Send on Behalf is determined entirely by which Exchange permission is granted, not by the API endpoint.\n\nModeCommandExchange Permission Requiredfrom fieldsender fieldWhat Recipient SeesAs Selfsend(none extra)DelegateDelegate\"From: Assistant\"As Owner (Send As)send-asSendAs onlyOwnerOwner\"From: Owner\"On Behalf Ofsend-behalfSendOnBehalf onlyOwnerDelegate\"From: Assistant on behalf of Owner\"\n\n⚠️ CRITICAL: Do NOT grant both SendAs and SendOnBehalf permissions. If both are granted, Exchange always uses SendAs, and the \"on behalf of\" indication will never appear. Choose ONE based on your desired behavior." }, { "title": "How It Works Under the Hood", "body": "When you call send-as or send-behalf, the skill makes the same API call: it sends via the delegate's endpoint with the owner in the from field. Microsoft Graph automatically sets the sender property to the authenticated user (the delegate). Whether the recipient sees \"on behalf of\" depends solely on the Exchange permission:\n\nSendAs permission → Graph sets both sender and from to the owner. No indication of delegation.\nSendOnBehalf permission → Graph keeps sender as the delegate and from as the owner. Recipient sees \"on behalf of.\"" }, { "title": "Config File: ~/.outlook-mcp/config.json", "body": "{\n \"client_id\": \"your-app-client-id\",\n \"client_secret\": \"your-app-client-secret\",\n \"tenant_id\": \"your-tenant-id\",\n \"owner_email\": \"owner@yourdomain.com\",\n \"owner_name\": \"Owner Display Name\",\n \"delegate_email\": \"assistant@yourdomain.com\",\n \"delegate_name\": \"AI Assistant\",\n \"timezone\": \"America/New_York\"\n}\n\nFieldDescriptionclient_idMicrosoft Entra ID App Registration client IDclient_secretMicrosoft Entra ID App Registration client secrettenant_idYour Microsoft Entra tenant ID (auto-detected during setup)owner_emailThe mailbox the assistant accesses as delegateowner_nameDisplay name for the owner (used in From field)delegate_emailThe assistant's own email addressdelegate_nameDisplay name for the assistanttimezoneIANA timezone for calendar operations (e.g., America/New_York, Europe/London, UTC)" }, { "title": "1. Microsoft Entra ID App Registration", "body": "Create an app registration in Azure Portal:\n\nGo to portal.azure.com → Microsoft Entra ID → App registrations\nNew registration:\n\nName: \"AI Assistant Mail Access\"\nSupported account types: \"Accounts in this organizational directory only\" (single tenant)\nRedirect URI: http://localhost:8400/callback\n\n\nNote the Application (client) ID and Directory (tenant) ID" }, { "title": "2. Configure API Permissions", "body": "In your app → API permissions → Add a permission → Microsoft Graph → Delegated permissions:\n\nRequired for all modes:\n\nMail.ReadWrite — Read/write assistant's own mail\nMail.Send — Send mail as assistant\nCalendars.ReadWrite — Read/write calendars\nUser.Read — Read own profile\noffline_access — Refresh tokens\n\nRequired for delegate access:\n\nMail.ReadWrite.Shared — Read/write shared mailboxes\nMail.Send.Shared — Send on behalf of others\nCalendars.ReadWrite.Shared — Read/write shared calendars\n\nClick \"Grant admin consent\" (requires admin)." }, { "title": "3. Create Client Secret", "body": "Certificates & secrets → New client secret\nDescription: \"AI Assistant\"\nExpiration: Choose appropriate duration\nCopy the Value immediately (shown only once)" }, { "title": "4. Grant Exchange Delegate Permissions", "body": "The owner (or an admin) must grant the assistant access via PowerShell.\n\nChoose your sending mode FIRST, then grant the appropriate permissions:\n\n# Connect to Exchange Online\nInstall-Module -Name ExchangeOnlineManagement\nConnect-ExchangeOnline -UserPrincipalName admin@yourdomain.com\n\n# REQUIRED: Full Mailbox Access (for reading owner's mail)\nAdd-MailboxPermission -Identity \"owner@yourdomain.com\" `\n -User \"assistant@yourdomain.com\" `\n -AccessRights FullAccess `\n -InheritanceType All `\n -AutoMapping $false\n\n# REQUIRED: Calendar Delegate Access\nAdd-MailboxFolderPermission -Identity \"owner@yourdomain.com:\\Calendar\" `\n -User \"assistant@yourdomain.com\" `\n -AccessRights Editor `\n -SharingPermissionFlags Delegate\n\nThen choose ONE of the following — do NOT grant both:\n\n# OPTION A: Send As (emails appear directly from owner, no indication)\nAdd-RecipientPermission -Identity \"owner@yourdomain.com\" `\n -Trustee \"assistant@yourdomain.com\" `\n -AccessRights SendAs `\n -Confirm:$false\n\n# OPTION B: Send on Behalf (emails show \"assistant on behalf of owner\")\nSet-Mailbox -Identity \"owner@yourdomain.com\" `\n -GrantSendOnBehalfTo \"assistant@yourdomain.com\"\n\nVerify permissions:\n\n# Check mailbox permissions\nGet-MailboxPermission -Identity \"owner@yourdomain.com\" | Where-Object {$_.User -like \"*assistant*\"}\n\n# Check Send As\nGet-RecipientPermission -Identity \"owner@yourdomain.com\" | Where-Object {$_.Trustee -like \"*assistant*\"}\n\n# Check Send on Behalf\nGet-Mailbox \"owner@yourdomain.com\" | Select-Object GrantSendOnBehalfTo\n\n# Check Calendar permissions\nGet-MailboxFolderPermission -Identity \"owner@yourdomain.com:\\Calendar\"" }, { "title": "5. Permissions Summary", "body": "ActionGraph PermissionExchange PermissionRead owner's mailMail.ReadWrite.SharedFullAccessSend as selfMail.Send(none needed)Send as ownerMail.Send.SharedSendAs onlySend on behalf of ownerMail.Send.SharedSendOnBehalf onlyRead/write owner's calendarCalendars.ReadWrite.SharedEditor" }, { "title": "Token Management", "body": "./scripts/outlook-token.sh refresh # Refresh expired token\n./scripts/outlook-token.sh test # Test connection to both accounts\n./scripts/outlook-token.sh get # Print access token\n./scripts/outlook-token.sh info # Show configuration info" }, { "title": "Reading Owner's Emails", "body": "./scripts/outlook-mail.sh inbox [count] # Owner's inbox\n./scripts/outlook-mail.sh unread [count] # Owner's unread\n./scripts/outlook-mail.sh search \"query\" [count] # Search owner's mail\n./scripts/outlook-mail.sh from [count] # Owner's mail from sender\n./scripts/outlook-mail.sh read # Read email content\n./scripts/outlook-mail.sh attachments # List attachments" }, { "title": "Managing Owner's Emails", "body": "./scripts/outlook-mail.sh mark-read # Mark as read\n./scripts/outlook-mail.sh mark-unread # Mark as unread\n./scripts/outlook-mail.sh flag # Flag as important\n./scripts/outlook-mail.sh unflag # Remove flag\n./scripts/outlook-mail.sh delete # Move to trash\n./scripts/outlook-mail.sh archive # Move to archive\n./scripts/outlook-mail.sh move # Move to folder" }, { "title": "Sending Emails", "body": "As Assistant (self):\n\n./scripts/outlook-mail.sh send \n./scripts/outlook-mail.sh reply \"body\"\n./scripts/outlook-mail.sh forward [message]\n\nRecipient sees: \"From: AI Assistant assistant@domain.com\"\n\nAs Owner (Send As — requires SendAs permission, no indication):\n\n./scripts/outlook-mail.sh send-as \n./scripts/outlook-mail.sh reply-as \"body\"\n./scripts/outlook-mail.sh forward-as [message]\n\nRecipient sees: \"From: Owner owner@domain.com\"\n\nOn Behalf of Owner (requires SendOnBehalf permission):\n\n./scripts/outlook-mail.sh send-behalf \n./scripts/outlook-mail.sh reply-behalf \"body\"\n./scripts/outlook-mail.sh forward-behalf [message]\n\nRecipient sees: \"From: AI Assistant on behalf of Owner owner@domain.com\"" }, { "title": "Drafts", "body": "./scripts/outlook-mail.sh draft # Create draft in owner's mailbox\n./scripts/outlook-mail.sh drafts [count] # List owner's drafts\n./scripts/outlook-mail.sh send-draft # Send draft as self\n./scripts/outlook-mail.sh send-draft-as # Send draft as owner\n./scripts/outlook-mail.sh send-draft-behalf # Send draft on behalf of owner" }, { "title": "Folders & Stats", "body": "./scripts/outlook-mail.sh folders # List mail folders\n./scripts/outlook-mail.sh stats # Inbox statistics\n./scripts/outlook-mail.sh whoami # Show delegate info" }, { "title": "Calendar", "body": "Viewing Events:\n\n./scripts/outlook-calendar.sh events [count] # Owner's upcoming events (future only)\n./scripts/outlook-calendar.sh today # Today's events (timezone-aware)\n./scripts/outlook-calendar.sh week # This week's events\n./scripts/outlook-calendar.sh read # Event details\n./scripts/outlook-calendar.sh calendars # List all calendars\n./scripts/outlook-calendar.sh free # Check availability\n\nCreating Events:\n\n./scripts/outlook-calendar.sh create [location]\n./scripts/outlook-calendar.sh quick [time]\n\nDate format: YYYY-MM-DDTHH:MM (e.g., 2026-01-26T10:00)\n\nManaging Events:\n\n./scripts/outlook-calendar.sh update \n./scripts/outlook-calendar.sh delete \n\nFields: subject, location, start, end" }, { "title": "Sent Items Behavior", "body": "Where the sent copy is saved depends on the endpoint used, not the sending mode:\n\nCommandEndpoint UsedSaved Tosend (as self)/users/{delegate}/sendMailDelegate's Sent Itemssend-as/users/{delegate}/sendMailDelegate's Sent Items *send-behalf/users/{delegate}/sendMailDelegate's Sent Items *All draft sends/users/{owner}/messages/{id}/sendOwner's Sent Items\n\n* Administrators can configure Exchange to also save a copy in the owner's Sent Items using:\n\nSet-Mailbox -Identity \"owner@yourdomain.com\" -MessageCopyForSentAsEnabled $true -MessageCopyForSendOnBehalfEnabled $true" }, { "title": "Troubleshooting", "body": "\"Access denied\" or \"403 Forbidden\"\n→ Check that the assistant has MailboxPermission on the owner's mailbox\n\n\"ErrorSendAsDenied\"\n→ Missing SendAs or SendOnBehalf permission. Run the PowerShell commands above.\n\nEmails don't show \"on behalf of\"\n→ You may have both SendAs and SendOnBehalf granted. When both exist, Exchange always uses SendAs (which hides the delegate). Remove the SendAs permission if you want \"on behalf of\" to appear.\n\n\"The mailbox is not found\"\n→ Verify owner_email in config.json is correct\n\n\"AADSTS90002: Tenant not found\"\n→ Check tenant_id in config.json matches your Microsoft Entra tenant\n\n\"Token expired\"\n→ Run outlook-token.sh refresh\n\nWrong timezone for calendar\n→ Update timezone in config.json (use IANA format like America/New_York)" }, { "title": "Security Considerations", "body": "Credential Protection: The ~/.outlook-mcp/ directory is automatically set to 700 and credential files to 600\nNo Process Leaks: Token refresh and exchange operations pass secrets via stdin, not command-line arguments\nInput Sanitization: All user input is JSON-escaped via jq to prevent injection\nAudit Trail: All actions are logged in the owner's mailbox audit log\nScope Limitation: The assistant only has access to what's explicitly granted\nRevocation: Owner can revoke access via Exchange PowerShell or Outlook settings" }, { "title": "Revoking Access", "body": "# Remove all permissions\nRemove-MailboxPermission -Identity \"owner@yourdomain.com\" -User \"assistant@yourdomain.com\" -AccessRights FullAccess -Confirm:$false\n\n# Remove Send As (if granted)\nRemove-RecipientPermission -Identity \"owner@yourdomain.com\" -Trustee \"assistant@yourdomain.com\" -AccessRights SendAs -Confirm:$false\n\n# Remove Send on Behalf (if granted)\nSet-Mailbox -Identity \"owner@yourdomain.com\" -GrantSendOnBehalfTo @{Remove=\"assistant@yourdomain.com\"}\n\n# Remove Calendar access\nRemove-MailboxFolderPermission -Identity \"owner@yourdomain.com:\\Calendar\" -User \"assistant@yourdomain.com\" -Confirm:$false" }, { "title": "Files", "body": "~/.outlook-mcp/config.json — Configuration (client ID, tenant ID, emails, timezone)\n~/.outlook-mcp/credentials.json — OAuth tokens (access + refresh)" }, { "title": "v1.1.0", "body": "FIXED: Reply command no longer sends duplicate emails (removed dead code that sent a garbage email)\nFIXED: All reply/forward variants now use proper Graph API threading (createReply/createForward → patch from → send)\nFIXED: send-as and send-behalf now correctly documented — behavior depends on Exchange permissions, not API endpoint\nFIXED: send-draft-behalf no longer deletes draft before sending (prevents data loss on send failure)\nFIXED: All user input is now JSON-escaped via jq to prevent injection and malformed payloads\nFIXED: Credentials file permissions enforced on every write (chmod 600)\nFIXED: Config directory permissions enforced (chmod 700)\nFIXED: Client secrets no longer visible in process list (sent via stdin)\nFIXED: Calendar events command now shows only future events\nFIXED: Sent Items behavior documented accurately\nFIXED: Version number corrected\nUpdated Microsoft Entra ID naming (formerly Azure Active Directory)\nSetup guide now explicitly warns against granting both SendAs and SendOnBehalf\nRevocation commands updated (GrantSendOnBehalfTo uses @{Remove=...} syntax)" }, { "title": "v1.0.0", "body": "Three sending modes: as self, as owner (Send As), on behalf of owner\nTenant-specific authentication (no /common endpoint)\nConfigurable timezone for calendar operations\nDisplay names for owner and delegate\nDrafts saved to owner's mailbox\nComprehensive PowerShell setup commands\nBased on outlook v1.3.0 by jotamed (https://clawhub.ai/jotamed/outlook)" } ], "body": "Outlook Delegate Skill\n\nAccess another user's Outlook/Microsoft 365 email and calendar as a delegate via Microsoft Graph API. Supports three sending modes: as yourself, as the owner, or on behalf of the owner.\n\nDelegate Architecture\n\nThis skill is designed for scenarios where:\n\nYour AI assistant (the delegate) has its own Microsoft 365 account\nThe owner has granted the assistant delegate access to their mailbox/calendar\nThe assistant can send emails as itself, as the owner, or on behalf of the owner\nSending Modes Explained\n\nAll three modes use the same Graph API call (/users/{delegate}/sendMail with the from field set). The difference between Send As and Send on Behalf is determined entirely by which Exchange permission is granted, not by the API endpoint.\n\nMode\tCommand\tExchange Permission Required\tfrom field\tsender field\tWhat Recipient Sees\nAs Self\tsend\t(none extra)\tDelegate\tDelegate\t\"From: Assistant\"\nAs Owner (Send As)\tsend-as\tSendAs only\tOwner\tOwner\t\"From: Owner\"\nOn Behalf Of\tsend-behalf\tSendOnBehalf only\tOwner\tDelegate\t\"From: Assistant on behalf of Owner\"\n\n⚠️ CRITICAL: Do NOT grant both SendAs and SendOnBehalf permissions. If both are granted, Exchange always uses SendAs, and the \"on behalf of\" indication will never appear. Choose ONE based on your desired behavior.\n\nHow It Works Under the Hood\n\nWhen you call send-as or send-behalf, the skill makes the same API call: it sends via the delegate's endpoint with the owner in the from field. Microsoft Graph automatically sets the sender property to the authenticated user (the delegate). Whether the recipient sees \"on behalf of\" depends solely on the Exchange permission:\n\nSendAs permission → Graph sets both sender and from to the owner. No indication of delegation.\nSendOnBehalf permission → Graph keeps sender as the delegate and from as the owner. Recipient sees \"on behalf of.\"\nConfiguration\nConfig File: ~/.outlook-mcp/config.json\n{\n \"client_id\": \"your-app-client-id\",\n \"client_secret\": \"your-app-client-secret\",\n \"tenant_id\": \"your-tenant-id\",\n \"owner_email\": \"owner@yourdomain.com\",\n \"owner_name\": \"Owner Display Name\",\n \"delegate_email\": \"assistant@yourdomain.com\",\n \"delegate_name\": \"AI Assistant\",\n \"timezone\": \"America/New_York\"\n}\n\nField\tDescription\nclient_id\tMicrosoft Entra ID App Registration client ID\nclient_secret\tMicrosoft Entra ID App Registration client secret\ntenant_id\tYour Microsoft Entra tenant ID (auto-detected during setup)\nowner_email\tThe mailbox the assistant accesses as delegate\nowner_name\tDisplay name for the owner (used in From field)\ndelegate_email\tThe assistant's own email address\ndelegate_name\tDisplay name for the assistant\ntimezone\tIANA timezone for calendar operations (e.g., America/New_York, Europe/London, UTC)\nSetup Requirements\n1. Microsoft Entra ID App Registration\n\nCreate an app registration in Azure Portal:\n\nGo to portal.azure.com → Microsoft Entra ID → App registrations\nNew registration:\nName: \"AI Assistant Mail Access\"\nSupported account types: \"Accounts in this organizational directory only\" (single tenant)\nRedirect URI: http://localhost:8400/callback\nNote the Application (client) ID and Directory (tenant) ID\n2. Configure API Permissions\n\nIn your app → API permissions → Add a permission → Microsoft Graph → Delegated permissions:\n\nRequired for all modes:\n\nMail.ReadWrite — Read/write assistant's own mail\nMail.Send — Send mail as assistant\nCalendars.ReadWrite — Read/write calendars\nUser.Read — Read own profile\noffline_access — Refresh tokens\n\nRequired for delegate access:\n\nMail.ReadWrite.Shared — Read/write shared mailboxes\nMail.Send.Shared — Send on behalf of others\nCalendars.ReadWrite.Shared — Read/write shared calendars\n\nClick \"Grant admin consent\" (requires admin).\n\n3. Create Client Secret\nCertificates & secrets → New client secret\nDescription: \"AI Assistant\"\nExpiration: Choose appropriate duration\nCopy the Value immediately (shown only once)\n4. Grant Exchange Delegate Permissions\n\nThe owner (or an admin) must grant the assistant access via PowerShell.\n\nChoose your sending mode FIRST, then grant the appropriate permissions:\n\n# Connect to Exchange Online\nInstall-Module -Name ExchangeOnlineManagement\nConnect-ExchangeOnline -UserPrincipalName admin@yourdomain.com\n\n# REQUIRED: Full Mailbox Access (for reading owner's mail)\nAdd-MailboxPermission -Identity \"owner@yourdomain.com\" `\n -User \"assistant@yourdomain.com\" `\n -AccessRights FullAccess `\n -InheritanceType All `\n -AutoMapping $false\n\n# REQUIRED: Calendar Delegate Access\nAdd-MailboxFolderPermission -Identity \"owner@yourdomain.com:\\Calendar\" `\n -User \"assistant@yourdomain.com\" `\n -AccessRights Editor `\n -SharingPermissionFlags Delegate\n\n\nThen choose ONE of the following — do NOT grant both:\n\n# OPTION A: Send As (emails appear directly from owner, no indication)\nAdd-RecipientPermission -Identity \"owner@yourdomain.com\" `\n -Trustee \"assistant@yourdomain.com\" `\n -AccessRights SendAs `\n -Confirm:$false\n\n# OPTION B: Send on Behalf (emails show \"assistant on behalf of owner\")\nSet-Mailbox -Identity \"owner@yourdomain.com\" `\n -GrantSendOnBehalfTo \"assistant@yourdomain.com\"\n\n\nVerify permissions:\n\n# Check mailbox permissions\nGet-MailboxPermission -Identity \"owner@yourdomain.com\" | Where-Object {$_.User -like \"*assistant*\"}\n\n# Check Send As\nGet-RecipientPermission -Identity \"owner@yourdomain.com\" | Where-Object {$_.Trustee -like \"*assistant*\"}\n\n# Check Send on Behalf\nGet-Mailbox \"owner@yourdomain.com\" | Select-Object GrantSendOnBehalfTo\n\n# Check Calendar permissions\nGet-MailboxFolderPermission -Identity \"owner@yourdomain.com:\\Calendar\"\n\n5. Permissions Summary\nAction\tGraph Permission\tExchange Permission\nRead owner's mail\tMail.ReadWrite.Shared\tFullAccess\nSend as self\tMail.Send\t(none needed)\nSend as owner\tMail.Send.Shared\tSendAs only\nSend on behalf of owner\tMail.Send.Shared\tSendOnBehalf only\nRead/write owner's calendar\tCalendars.ReadWrite.Shared\tEditor\nUsage\nToken Management\n./scripts/outlook-token.sh refresh # Refresh expired token\n./scripts/outlook-token.sh test # Test connection to both accounts\n./scripts/outlook-token.sh get # Print access token\n./scripts/outlook-token.sh info # Show configuration info\n\nReading Owner's Emails\n./scripts/outlook-mail.sh inbox [count] # Owner's inbox\n./scripts/outlook-mail.sh unread [count] # Owner's unread\n./scripts/outlook-mail.sh search \"query\" [count] # Search owner's mail\n./scripts/outlook-mail.sh from [count] # Owner's mail from sender\n./scripts/outlook-mail.sh read # Read email content\n./scripts/outlook-mail.sh attachments # List attachments\n\nManaging Owner's Emails\n./scripts/outlook-mail.sh mark-read # Mark as read\n./scripts/outlook-mail.sh mark-unread # Mark as unread\n./scripts/outlook-mail.sh flag # Flag as important\n./scripts/outlook-mail.sh unflag # Remove flag\n./scripts/outlook-mail.sh delete # Move to trash\n./scripts/outlook-mail.sh archive # Move to archive\n./scripts/outlook-mail.sh move # Move to folder\n\nSending Emails\n\nAs Assistant (self):\n\n./scripts/outlook-mail.sh send \n./scripts/outlook-mail.sh reply \"body\"\n./scripts/outlook-mail.sh forward [message]\n\n\nRecipient sees: \"From: AI Assistant assistant@domain.com\"\n\nAs Owner (Send As — requires SendAs permission, no indication):\n\n./scripts/outlook-mail.sh send-as \n./scripts/outlook-mail.sh reply-as \"body\"\n./scripts/outlook-mail.sh forward-as [message]\n\n\nRecipient sees: \"From: Owner owner@domain.com\"\n\nOn Behalf of Owner (requires SendOnBehalf permission):\n\n./scripts/outlook-mail.sh send-behalf \n./scripts/outlook-mail.sh reply-behalf \"body\"\n./scripts/outlook-mail.sh forward-behalf [message]\n\n\nRecipient sees: \"From: AI Assistant on behalf of Owner owner@domain.com\"\n\nDrafts\n./scripts/outlook-mail.sh draft # Create draft in owner's mailbox\n./scripts/outlook-mail.sh drafts [count] # List owner's drafts\n./scripts/outlook-mail.sh send-draft # Send draft as self\n./scripts/outlook-mail.sh send-draft-as # Send draft as owner\n./scripts/outlook-mail.sh send-draft-behalf # Send draft on behalf of owner\n\nFolders & Stats\n./scripts/outlook-mail.sh folders # List mail folders\n./scripts/outlook-mail.sh stats # Inbox statistics\n./scripts/outlook-mail.sh whoami # Show delegate info\n\nCalendar\n\nViewing Events:\n\n./scripts/outlook-calendar.sh events [count] # Owner's upcoming events (future only)\n./scripts/outlook-calendar.sh today # Today's events (timezone-aware)\n./scripts/outlook-calendar.sh week # This week's events\n./scripts/outlook-calendar.sh read # Event details\n./scripts/outlook-calendar.sh calendars # List all calendars\n./scripts/outlook-calendar.sh free # Check availability\n\n\nCreating Events:\n\n./scripts/outlook-calendar.sh create [location]\n./scripts/outlook-calendar.sh quick [time]\n\n\nDate format: YYYY-MM-DDTHH:MM (e.g., 2026-01-26T10:00)\n\nManaging Events:\n\n./scripts/outlook-calendar.sh update \n./scripts/outlook-calendar.sh delete \n\n\nFields: subject, location, start, end\n\nSent Items Behavior\n\nWhere the sent copy is saved depends on the endpoint used, not the sending mode:\n\nCommand\tEndpoint Used\tSaved To\nsend (as self)\t/users/{delegate}/sendMail\tDelegate's Sent Items\nsend-as\t/users/{delegate}/sendMail\tDelegate's Sent Items *\nsend-behalf\t/users/{delegate}/sendMail\tDelegate's Sent Items *\nAll draft sends\t/users/{owner}/messages/{id}/send\tOwner's Sent Items\n\n* Administrators can configure Exchange to also save a copy in the owner's Sent Items using:\n\nSet-Mailbox -Identity \"owner@yourdomain.com\" -MessageCopyForSentAsEnabled $true -MessageCopyForSendOnBehalfEnabled $true\n\nTroubleshooting\n\n\"Access denied\" or \"403 Forbidden\" → Check that the assistant has MailboxPermission on the owner's mailbox\n\n\"ErrorSendAsDenied\" → Missing SendAs or SendOnBehalf permission. Run the PowerShell commands above.\n\nEmails don't show \"on behalf of\" → You may have both SendAs and SendOnBehalf granted. When both exist, Exchange always uses SendAs (which hides the delegate). Remove the SendAs permission if you want \"on behalf of\" to appear.\n\n\"The mailbox is not found\" → Verify owner_email in config.json is correct\n\n\"AADSTS90002: Tenant not found\" → Check tenant_id in config.json matches your Microsoft Entra tenant\n\n\"Token expired\" → Run outlook-token.sh refresh\n\nWrong timezone for calendar → Update timezone in config.json (use IANA format like America/New_York)\n\nSecurity Considerations\nCredential Protection: The ~/.outlook-mcp/ directory is automatically set to 700 and credential files to 600\nNo Process Leaks: Token refresh and exchange operations pass secrets via stdin, not command-line arguments\nInput Sanitization: All user input is JSON-escaped via jq to prevent injection\nAudit Trail: All actions are logged in the owner's mailbox audit log\nScope Limitation: The assistant only has access to what's explicitly granted\nRevocation: Owner can revoke access via Exchange PowerShell or Outlook settings\nRevoking Access\n# Remove all permissions\nRemove-MailboxPermission -Identity \"owner@yourdomain.com\" -User \"assistant@yourdomain.com\" -AccessRights FullAccess -Confirm:$false\n\n# Remove Send As (if granted)\nRemove-RecipientPermission -Identity \"owner@yourdomain.com\" -Trustee \"assistant@yourdomain.com\" -AccessRights SendAs -Confirm:$false\n\n# Remove Send on Behalf (if granted)\nSet-Mailbox -Identity \"owner@yourdomain.com\" -GrantSendOnBehalfTo @{Remove=\"assistant@yourdomain.com\"}\n\n# Remove Calendar access\nRemove-MailboxFolderPermission -Identity \"owner@yourdomain.com:\\Calendar\" -User \"assistant@yourdomain.com\" -Confirm:$false\n\nFiles\n~/.outlook-mcp/config.json — Configuration (client ID, tenant ID, emails, timezone)\n~/.outlook-mcp/credentials.json — OAuth tokens (access + refresh)\nChangelog\nv1.1.0\nFIXED: Reply command no longer sends duplicate emails (removed dead code that sent a garbage email)\nFIXED: All reply/forward variants now use proper Graph API threading (createReply/createForward → patch from → send)\nFIXED: send-as and send-behalf now correctly documented — behavior depends on Exchange permissions, not API endpoint\nFIXED: send-draft-behalf no longer deletes draft before sending (prevents data loss on send failure)\nFIXED: All user input is now JSON-escaped via jq to prevent injection and malformed payloads\nFIXED: Credentials file permissions enforced on every write (chmod 600)\nFIXED: Config directory permissions enforced (chmod 700)\nFIXED: Client secrets no longer visible in process list (sent via stdin)\nFIXED: Calendar events command now shows only future events\nFIXED: Sent Items behavior documented accurately\nFIXED: Version number corrected\nUpdated Microsoft Entra ID naming (formerly Azure Active Directory)\nSetup guide now explicitly warns against granting both SendAs and SendOnBehalf\nRevocation commands updated (GrantSendOnBehalfTo uses @{Remove=...} syntax)\nv1.0.0\nThree sending modes: as self, as owner (Send As), on behalf of owner\nTenant-specific authentication (no /common endpoint)\nConfigurable timezone for calendar operations\nDisplay names for owner and delegate\nDrafts saved to owner's mailbox\nComprehensive PowerShell setup commands\nBased on outlook v1.3.0 by jotamed (https://clawhub.ai/jotamed/outlook)" }, "trust": { "sourceLabel": "tencent", "provenanceUrl": "https://clawhub.ai/87Marc/outlook-delegate", "publisherUrl": "https://clawhub.ai/87Marc/outlook-delegate", "owner": "87Marc", "version": "1.1.1", "license": null, "verificationStatus": "Indexed source record" }, "links": { "detailUrl": "https://openagent3.xyz/skills/outlook-delegate", "downloadUrl": "https://openagent3.xyz/downloads/outlook-delegate", "agentUrl": "https://openagent3.xyz/skills/outlook-delegate/agent", "manifestUrl": "https://openagent3.xyz/skills/outlook-delegate/agent.json", "briefUrl": "https://openagent3.xyz/skills/outlook-delegate/agent.md" } }