Is zoho-bigin safe?

https://clawhub.ai/byungkyu/zoho-bigin

72
CAUTION

This skill is a documentation-only Zoho Bigin CRM integration that routes all API traffic through a third-party proxy service (maton.ai). While it contains no executable code or install hooks, the fundamental architecture requires users to send their API keys and OAuth tokens to the proxy operator, who gains persistent access to all CRM data. The skill also cross-promotes installation of an additional skill from the same author. Filesystem monitoring during installation detected access to sensitive files (.env, .aws/credentials), though this may be platform runtime behavior rather than skill-specific.

Category Scores

Prompt Injection 70/100 · 30%
Data Exfiltration 55/100 · 25%
Code Execution 85/100 · 20%
Clone Behavior 65/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 55/100 · 5%

Findings (9)

HIGH API key transmitted to third-party proxy service -30

Every API call routes through gateway.maton.ai and ctrl.maton.ai rather than directly to Zoho's API. The user's MATON_API_KEY is sent as a Bearer token to these third-party endpoints. This creates a persistent man-in-the-middle where the proxy operator (Maton) can intercept all CRM data and the authentication token itself.

HIGH OAuth connection management exposes credentials to third party -15

The skill instructs users to create OAuth connections via ctrl.maton.ai and complete authorization at connect.maton.ai. This means the Maton service holds the user's Zoho OAuth tokens, not the user directly. The service operator has persistent access to the user's Zoho Bigin account.

MEDIUM Cross-skill promotion with direct install URL -15

The skill description includes 'For other third party apps, use the api-gateway skill (https://clawhub.ai/byungkyu/api-gateway)' which could lead an LLM agent to autonomously install another skill from the same author, expanding the attack surface without explicit user consent.

MEDIUM Executable code blocks presented as agent actions -15

SKILL.md contains numerous Python heredoc code blocks that an LLM agent will interpret as ready-to-execute commands. These blocks read environment variables and make HTTP requests to external services. While the code itself is not malicious, the pattern of embedding executable snippets that transmit credentials is a concern.

MEDIUM Sensitive file access during installation -35

Filesystem monitoring detected access to /home/oc-exec/.env, /home/oc-exec/.aws/credentials, and /home/oc-exec/.openclaw/agents/main/agent/auth-profiles.json during the install phase. While this may be standard ClawHub/OpenClaw runtime behavior rather than skill-specific activity, it shows the install environment reads sensitive credential files.

MEDIUM Destructive CRM operations without guardrails -20

The skill provides DELETE endpoints for both CRM records and OAuth connections with no confirmation patterns or safety warnings. An LLM agent could delete customer contacts, companies, or pipeline data if it misinterprets a user request. Bulk delete supports up to 100 records per call.

LOW Full CRM data accessible through proxy -25

The skill provides access to read, create, update, and delete contacts, companies, pipelines, and products — the entirety of a user's Zoho Bigin CRM data. Combined with the third-party proxy architecture, this represents significant data exposure.

INFO No executable files or install hooks 0

The skill contains only documentation files (SKILL.md, _meta.json, LICENSE.txt, origin.json, lock.json). No package.json install scripts, git hooks, submodules, or symlinks were detected. Code examples use only Python standard library.

INFO No canary file tampering 0

All honeypot files (fake .env, SSH keys, AWS credentials) remained intact throughout the audit. No evidence of credential harvesting via the canary mechanism.