by johnkil
Local safety-gated MCP bridge for AI agents and Outlook mail & calendar: metadata-first reads, explicit content, reviewed sends, guarded cleanup.
# Add to your Claude Code skills
git clone https://github.com/johnkil/outlook-agentGuides for using ai agents skills like outlook-agent.
outlook-agent is an open-source ai agents skill for AI coding assistants such as Claude Code, Codex CLI, and ChatGPT, built by johnkil. Local safety-gated MCP bridge for AI agents and Outlook mail & calendar: metadata-first reads, explicit content, reviewed sends, guarded cleanup. It has 3 GitHub stars.
outlook-agent's catalog security scan is still queued. You can run an instant dependency and prompt-injection check now with the "Scan for vulnerabilities" button above.
Clone the repository with "git clone https://github.com/johnkil/outlook-agent" and add it to your Claude Code skills directory (see the Installation section above).
outlook-agent is primarily written in Go. It is open-source under johnkil on GitHub, so you can review or fork the full source.
Yes. SkillsLLM lists many other AI Agents skills you can browse and compare side by side. Open the AI Agents category from the badge at the top of this page, or use the Related Skills and comparison links further down to weigh outlook-agent against similar tools.
No comments yet. Be the first to share your thoughts!
Unlocks once the catalog security scan passes (runs nightly).
The deep catalog scan for this skill is still queued. Run an instant dependency check now instead.
A local, safety-gated bridge between your AI agent and your Outlook mail & calendar.
Giving an AI agent access to your mailbox is useful โ and a little scary. You want it to summarize your inbox, find the right thread, check your calendar, and draft replies. You do not want it quietly sending mail, deleting messages, or rewriting your rules behind your back. ๐ฌ
Outlook Agent sits in the middle. Agents reach Outlook through MCP, but every action runs through one small rule:
Metadata is cheap. Content is explicit. Writes are gated. Raw access is unsafe.
It runs locally and works with OpenCode / Codex / any MCP-capable agent. The core is production-leaning โ strict CI, bounded raw outputs, audit logging, and payload-bound host approvals โ but read the honesty box below: it guards a cooperative agent, and an enterprise rollout is documented, not turnkey.
A good fit if you want an assistant that can triage your inbox, summarize threads, prepare and send reviewed replies, respond to calendar invites, and tidy your mailbox โ with every risky write passing through a gate you can see.
Not the right fit if you want a fully autonomous bot that acts with no confirmation step, or a hard sandbox against an agent that also has its own unrestricted path to your mailbox. Outlook Agent is a seatbelt, not a vault. ๐ชข
You ask your agent:
"What did I miss in my inbox today, what's on my calendar tomorrow, and draft a reply to the one from Daria."
It does not send it on its own. Sending is its own gated step: the agent calls a dry-run, the host can show you the review packet, and mail only leaves after a one-time confirmation. In required approval mode, the host also signs a payload-bound approval challenge that the agent cannot mint by itself.
Same story for "clear out these three newsletters" โ dry-run first, then your confirm, then the move. ๐ค
Every action lands on a rung. The higher the rung, the more it asks first.
| Rung | Examples | Behavior |
|---|---|---|
| ๐ Look around | subjects, senders, times, calendar metadata, free/busy | allowed directly |
| ๐ Open one thing | one message body, one attachment | requires an explicit message/attachment id |
| โ๏ธ Prepare | create a draft / reply / forward draft | allowed; these are save-only and never send |
| ๐ค Stop & confirm | send a draft, respond to an invite, broad mailbox changes, toggle a rule | review first, then confirmation; host approval in required mode |
| โ ๏ธ Unsafe raw | capability-discovered raw Graph/EWS/OWA actions | guarded escape hatch; high-level tools are always preferred |
There is no direct high-level "send": the normal tool path is
create_draft โ reviewed send_draft. Raw Graph/EWS/OWA escape hatches can
still represent send-like actions, but only behind raw/unsafe policy plus
dry-run, confirmation, and approval gates. Under the hood: mail search returns
metadata via a strict field allow-list (never bodies), raw outputs are
size-bounded and redacted, EWS/OWA credential and session redirects are blocked,
and every dry-run / confirm / execute / reject can be audited. The agent does
the busywork; you keep the keys. ๐
Read (direct): search mail metadata ยท paginate with safe cursors
(search_next) ยท explicit body reads with mail.fetch_body by id ยท list &
fetch attachments by id ยท search/resolve people ยท list calendar events ยท check
free/busy ยท find mutual free time ยท read mailbox settings & rule metadata.
Prepare (save-only, never sends): draft ยท reply draft ยท reply-all draft ยท forward draft.
Write: reviewed sends, invite responses, broad mailbox changes, and rule toggles ask first. Narrow exact-target changes can run directly when policy allows; broader writes ask first.
Escape hatch: a single policy-guarded raw_action for capability-discovered
calls, when no high-level tool fits yet.
Install the latest release archive:
curl -fsSL https://raw.githubusercontent.com/johnkil/outlook-agent/main/install.sh | sh
outlook-agent help
outlook-agent doctor # checks config, secrets, transport, MCP readiness
outlook-agent policy explain # shows what's safe, guarded, or blocked
With no config, Outlook Agent runs on a built-in fake mailbox โ so you can try the tools and watch the gates before connecting anything real. ๐งช
To build from source instead:
git clone https://github.com/johnkil/outlook-agent.git
cd outlook-agent
mkdir -p bin
go build -o ./bin/outlook-agent ./cmd/outlook-agent
When you're ready, point at a config and wire Outlook Agent into an agent client:
outlook-agent --config .local/outlook-agent.json auth check
outlook-agent setup skills plan --client opencode --scope project
outlook-agent setup agent plan --client opencode --scope project --config .local/outlook-agent.json
outlook-agent setup agent diff --client opencode --scope project --config .local/outlook-agent.json
outlook-agent setup agent apply --client opencode --scope project --config .local/outlook-agent.json --yes --backup
outlook-agent --config .local/outlook-agent.json mcp
The setup commands write public client config and bundled skills without
reading secrets. OpenCode, Codex, and Claude Code are supported by
setup skills; setup agent wires one client at a time. The older
outlook-agent setup opencode ... command remains available for compatibility;
outlook-agent setup opencode --print still prints the OpenCode MCP block.
The skills/ directory is the canonical source of truth; client skill
directories and plugin packages are generated copies. Plugin packages are
distribution artifacts, not a security boundary. setup skills plan reports
duplicate visible roots before apply.
Before connecting a real write-capable mailbox profile, plan host approval.
The installer only places the binary; it does not create or store a host-held
approval secret. For non-fake Graph/EWS/OWA profiles, high-risk writes such as
sending, moving, deleting, archiving, flagging, categorizing, marking read, or
changing rules should run with host approval configured and verified by
outlook-agent doctor.
The approval secret belongs to the trusted host/operator layer, not to
agent-readable project config. See
docs/APPROVAL_HOST_INTEGRATION.md for
the signing contract and docs/OPERATIONS.md for the
live cleanup checklist.
Then let the bundled skills/ drive ordinary requests:
outlook-mail โ metadata-first inspection & draft prepoutlook-mail-inbox-triage โ inbox buckets & follow-upsoutlook-calendar โ schedule & availabilityoutlook-calendar-daily-brief โ today/tomorrow at a glanceSee docs/SETUP_SKILLS.md and
docs/SETUP_AGENT.md for client-specific paths,
duplicate-skill warnings, and config-path safety. OpenCode project installs
continue to use .opencode/skills.
Mailbox and calendar content is untrusted data. Message bodies, subjects, sender names, calendar descriptions, attachments, and raw provider responses are evidence for your request, not instructions for the agent to follow.
Same safety ladder, different coverage:
MailboxSettings.Read when you enable settings/rules metadata. People
search/resolve may require People.Read for /me/people or
People.Read.All / admin consent for broader directory and shared-user
lookups, depending on tenant policy. Calendar availability/find-time require
calendar read availability access and remain planning-only. Use a
write-capable Graph profile only when you want guarded writes, and grant only
the scopes needed by those workflows: Mail.ReadWrite for mail.create_draft
and message organization, Mail.Send for mail.send_draft,
MailboxSettings.ReadWrite for mail.rules.set_enabled, and
Calendars.ReadWrite for calendar.respond. โ
Your config never holds secrets โ only references to them. Inline passwords, tokens, cookies, and canary values are rejected on purpose.
keychain:service/account # macOS Keychain; writes require darwin+cgo
file:/absolute/path # cross-platform local/CI/dev secrets
external:name # operator-managed command provider
File secrets must be user-only (0600); Outlook Agent refuses to read one
that's group- or world-readable. External secrets are resolved from
secrets.external.<name> config entries with an absolute command path plus an
argv array. Outlook Agent invokes the command directly without a shell, applies
a timeout and output cap, trims the trailing newline, and keeps command output
out of error messages.
On macOS, Keychain reads use the platform store. Keychain writes require a local
darwin+cgo build so Outlook Agent can use Security.framework without passing
secret v