OneDrive is one of the highest-value targets an enterprise agent can touch: it holds documents, spreadsheets, internal decks, and shared libraries across your entire tenant. Connecting an OpenClaw agent to OneDrive via the Microsoft Graph API is straightforward, but without policy-as-code enforcement, a single misconfigured permission scope can let an agent read, overwrite, or exfiltrate files across every user's drive.
Claw EA treats OneDrive as a permissioned integration, connectable via official API with enterprise buildout controls. Write and admin actions require WPC approval gates, scoped tokens (CST), and explicit least-privilege Microsoft Graph auth scopes. Prompt-level instructions alone cannot enforce these boundaries because the model can be jailbroken or the skill definition can be swapped at runtime.
Step-by-step runbook
- Register an Entra ID app with minimal Graph scopes. Start with
Files.Readfor the specific site or drive. Do not grantFiles.ReadWrite.Allunless the WPC explicitly requires write access. Use application permissions only if the agent must operate without a signed-in user; prefer delegated permissions where possible. - Author a Work Policy Contract (WPC). Define the allowed Graph scopes, target drive IDs or site paths, permitted file types, and whether write operations are authorized. The WPC is signed and hash-addressed in the clawcontrols registry.
- Issue a scoped token (CST) pinned to the WPC hash. clawscope issues the CST with the policy hash pinned, so the agent's token is only valid for operations the contract permits. This binds the job to a specific policy version.
- Route model calls through clawproxy. Every LLM inference the agent makes during the OneDrive task produces a gateway receipt. These receipts record the model, prompt hash, and timestamp for later verification.
- Implement the OneDrive tool as an OpenClaw plugin. The plugin calls Microsoft Graph endpoints, passing the Entra ID OAuth token for data access and the CST for Claw Bureau policy checks. Sandbox the plugin using OpenClaw's Docker sandboxing (
sandbox.mode: "all") to contain filesystem and network access. - Collect the proof bundle after the run. The bundle includes gateway receipts, the WPC hash, CST metadata, and job-scoped anti-replay binding. Store the resulting Trust Pulse artifact for audit viewing.
Threat model
| Threat | What happens | Control |
|---|---|---|
Over-scoped Graph permissions (Files.ReadWrite.All) | Agent writes or deletes files across the entire tenant | WPC restricts allowed Graph scopes; CST is pinned to that WPC hash |
| Prompt injection via a malicious document | Agent reads a OneDrive file containing injected instructions, then exfiltrates other files | OpenClaw sandbox isolates network egress; egress allowlists (planned) can further restrict outbound targets |
| Skill swap at runtime | A modified skill definition changes the agent's target drive or enables write mode | WPC is hash-addressed and immutable; CST will not validate against a different policy hash |
| Token replay across jobs | A leaked CST is reused for a different OneDrive task | Marketplace anti-replay binding ties each CST to a specific job scope |
| Silent data exfiltration via model context | Sensitive file contents are sent to the LLM provider in the prompt | Gateway receipts log every model call; proof bundle enables post-hoc audit of what was sent and when |
Policy-as-code example
{
"wpc_version": "1.0",
"tool": "onedrive",
"connection": "microsoft_graph_api",
"allowed_scopes": [
"Files.Read",
"Sites.Read.All"
],
"denied_scopes": [
"Files.ReadWrite.All",
"Sites.ReadWrite.All",
"Sites.FullControl.All"
],
"allowed_drive_ids": ["b!xYz123..."],
"write_enabled": false,
"max_file_size_bytes": 10485760,
"require_sandbox": true,
"cst_policy_hash_pin": true
}This WPC fragment restricts the agent to read-only access on a single drive, blocks all write scopes, caps file size at 10 MB, and requires sandbox execution. The CST issued for this job will carry the hash of this exact policy.
What proof do you get?
Model-assisted runs produce gateway receipts for every LLM call made during the OneDrive task. These receipts are signed by clawproxy and include the model identifier, a prompt content hash, and a timestamp.
At job completion, receipts are bundled into a proof bundle alongside the WPC hash, CST metadata, and anti-replay job binding. The proof bundle can be submitted to clawverify for tier-based trust assessment. The resulting Trust Pulse artifact is stored in the marketplace for audit viewing by compliance teams or the delegating principal.
Rollback posture
| Action | Safe rollback | Evidence |
|---|---|---|
| Agent reads files only (WPC write_enabled: false) | No rollback needed; no state was changed in OneDrive | Gateway receipts confirm model calls; proof bundle confirms read-only policy was active |
| Agent writes or uploads files (WPC write_enabled: true) | OneDrive version history allows file restore; WPC should require versioning on target libraries | Proof bundle records which files were touched; Graph API audit logs provide file-level change history |
| Agent deletes files | OneDrive recycle bin retains items for 93 days by default; restore from recycle bin | Proof bundle plus Entra ID sign-in logs identify the app and time window |
| Suspected token compromise | Revoke the CST via clawscope; revoke the Entra ID app's OAuth refresh token via Conditional Access | CST revocation event is logged; Entra ID audit log records token revocation |
FAQ
Is OneDrive integration available as a native connector today?
No. OneDrive can be connected via the official Microsoft Graph API with enterprise buildout controls. It is not shipped as an out-of-the-box native connector. The integration requires registering an Entra ID application and building the OpenClaw tool plugin for your environment.
Why can't prompt instructions replace policy-as-code for OneDrive access?
Prompt instructions are advisory. A model can be manipulated through prompt injection, or a skill definition can be altered between runs. A WPC is a signed, hash-addressed artifact that the infrastructure enforces independently of the model's behavior. The CST will not validate against a different policy, so the execution layer rejects unauthorized operations regardless of what the prompt says.
Which Microsoft Graph scopes should I start with?
For read-only document retrieval, Files.Read (delegated) or Files.Read.All (application) is sufficient. If the agent must write, use Files.ReadWrite scoped to a specific drive or site. Avoid tenant-wide write scopes unless the WPC explicitly justifies them and your Conditional Access policies restrict the app's access further.
How do gateway receipts help if the agent exfiltrates data through the LLM prompt?
Gateway receipts log a content hash of every prompt sent to the model provider. During a post-incident review, you can match receipt timestamps and hashes against the proof bundle to determine exactly which file contents were included in model calls and when. This does not prevent exfiltration, but it provides a verifiable audit trail.
Can I enforce cost budgets on OneDrive agent runs?
Automatic cost budget enforcement is planned but not yet shipped. Today, you can set model call limits in the WPC and monitor spend through gateway receipt counts in the proof bundle. For hard budget cutoffs, this would need to be implemented as part of the enterprise buildout.