Stats
Actions
Tags
'%20stop-opacity%3D'0.16'%2F%3E%3Cstop%20offset%3D'1'%20stop-color%3D'rgb(200%2C90%2C60)'%20stop-opacity%3D'0.03'%2F%3E%3C%2FlinearGradient%3E%3C%2Fdefs%3E%3Crect%20width%3D'320'%20height%3D'200'%20fill%3D'url(%23g)'%2F%3E%3Ccircle%20cx%3D'250'%20cy%3D'56'%20r%3D'92'%20fill%3D'rgb(200%2C90%2C60)'%20fill-opacity%3D'0.06'%2F%3E%3Ccircle%20cx%3D'64'%20cy%3D'172'%20r%3D'58'%20fill%3D'rgb(200%2C90%2C60)'%20fill-opacity%3D'0.05'%2F%3E%3C%2Fsvg%3E)
From sandbox-auth
ALWAYS use this FIRST — before any Microsoft Graph / Microsoft 365 operation — to authenticate the sandbox. Trigger this before any request to graph.microsoft.com: reading a user profile (/me), mail, calendar, OneDrive files, Teams, or any other M365/Graph data. The sandbox blocks unauthenticated egress, so Graph calls will fail until this runs. It triggers the egress proxy's auth handshake (may need a browser Azure AD login / consent or a ManualToken paste, which it relays). Do NOT make Graph API calls until this reports SUCCESS.
How this skill is triggered — by the user, by Claude, or both
Slash command
/sandbox-auth:microsoft-graph [optional: space-separated Graph scopes, e.g. 'User.Read Mail.Read'][optional: space-separated Graph scopes, e.g. 'User.Read Mail.Read']bashThis skill is limited to the following tools:
The summary Claude sees in its skill listing — used to decide when to auto-load this skill
Set up Microsoft Graph auth through the sandbox egress proxy before any Graph API call. This is
Set up Microsoft Graph auth through the sandbox egress proxy before any Graph API call. This is a prerequisite — the proxy must acquire and cache an OAuth token on the user's behalf.
This skill is a thin wrapper: it only picks the Graph probe URL and reports the result.
The handshake itself — wire contract, polling through auth_pending, the login relay (including
the Desktop ManualToken dialog), token injection, and exit-code handling — is owned by the
sandbox-auth:egress-auth skill. Do not reimplement it here.
Use the default unless the user needs a specific resource:
https://graph.microsoft.com/v1.0/me
$ARGUMENTS (the default /v1.0/me probe works for most
cases; actual scopes are set by the egress policy, not by this skill).sandbox-auth:egress-auth — follow its "set up auth for a probe URL" procedure
with PROBE_URL = https://graph.microsoft.com/v1.0/me and BUDGET = 300. It runs the engine
(${CLAUDE_PLUGIN_ROOT}/scripts/sandbox-auth-fetch.py), polls internally, and relays any
[HITL_REQUIRED] prompt. Do not write your own retry loop.egress-auth exit-code table. On SUCCESS the
user can call graph.microsoft.com; the token is cached for the session.| Scope | Access |
|---|---|
User.Read | Signed-in user's profile |
User.ReadBasic.All | Basic profiles of all users |
Mail.Read / Mail.Send | Read / send mail |
Files.Read | OneDrive files |
Calendars.Read | Calendar |
GET /v1.0/me — current user profileGET /v1.0/me/messages — mailGET /v1.0/me/drive/root/children — OneDriveGET /v1.0/me/events — calendarEverything else — never bypass the proxy, never call Graph before SUCCESS, one auth per
session — is enforced by sandbox-auth:egress-auth.
npx claudepluginhub gautam-achieveai/claudeplugins --plugin sandbox-authCreates bite-sized, testable implementation plans from specs or requirements, with file structure and task decomposition. Activates before coding multi-step tasks.