Is zoho-books safe?

https://clawhub.ai/byungkyu/zoho-books

72
CAUTION

This skill is a documentation-only Zoho Books API integration that routes all financial data through a third-party proxy service (Maton/gateway.maton.ai). While it contains no malicious code, executable payloads, or install hooks, the fundamental architecture requires users to trust a third-party with full read/write access to their accounting data including invoices, bills, contacts, and expenses. The cross-promotion of additional skills from the same author and the pattern of encouraging the agent to execute Python heredoc blocks in the shell add moderate risk.

Category Scores

Prompt Injection 68/100 · 30%
Data Exfiltration 60/100 · 25%
Code Execution 82/100 · 20%
Clone Behavior 72/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 55/100 · 5%

Findings (11)

HIGH All financial data routed through third-party proxy -25

Every API request is proxied through gateway.maton.ai rather than going directly to zohoapis.com. The Maton gateway intercepts the OAuth token injection and has full visibility into all request and response data, including sensitive financial records (invoices, contacts, bills, expenses). Users must fully trust this third-party with their accounting data.

HIGH API key and OAuth tokens sent to third-party -15

The MATON_API_KEY is sent as a Bearer token on every request to the Maton gateway. Additionally, OAuth connection management is handled through ctrl.maton.ai, meaning Maton stores and manages the user's Zoho Books OAuth credentials. This creates a single point of compromise for all financial data access.

MEDIUM Cross-skill promotion and chaining -15

The skill description explicitly promotes another skill (api-gateway) by full URL, encouraging the agent to install additional skills from the same author. This creates a pattern where one skill bootstraps trust for others, potentially expanding the attack surface.

MEDIUM Agent directed to execute Python code blocks via shell -10

The skill provides numerous Python heredoc examples intended for direct shell execution. While the code itself is benign (stdlib urllib calls), this establishes a pattern where the agent routinely executes Python code from skill instructions, which could be exploited if the skill content were modified or if a prompt injection occurred within API response data.

MEDIUM Troubleshooting instructs agent to echo API key -7

The troubleshooting section instructs the agent to run 'echo $MATON_API_KEY' which would expose the API key in terminal output, logs, or any monitoring system capturing stdout.

MEDIUM Install process accessed sensitive configuration files -18

During installation, the process read .env, .aws/credentials, .profile, .bashrc, and multiple openclaw configuration files. While this appears to be the openclaw runtime's standard behavior (not the skill itself), it means the install environment has access to sensitive credentials.

MEDIUM Full CRUD access to financial records via untrusted proxy -30

The skill provides create, update, and delete operations for invoices, contacts, bills, and expenses. If the Maton gateway were compromised, an attacker could create fraudulent invoices, delete financial records, or modify contact payment details — all without direct access to the Zoho Books account.

MEDIUM OAuth flow involves opening third-party URLs in browser -15

The connection management flow instructs users to open a connect.maton.ai URL in their browser to complete OAuth authorization. A compromised gateway could serve a phishing page that captures Zoho credentials directly.

LOW No executable code or install hooks in skill package -8

The skill contains only documentation files (SKILL.md, LICENSE.txt, metadata JSON). No package.json with install scripts, no git hooks, no submodules, no symlinks. Code execution risk comes only from the agent following the embedded Python examples.

INFO All honeypot files remained intact 0

No canary files were accessed or modified during installation, indicating no credential harvesting behavior during the install phase.

LOW Temporary files created in /tmp during install -10

The install process created a gateway lockfile and multiple jiti transpiler cache files in /tmp. These appear to be standard openclaw runtime artifacts rather than malicious behavior from the skill itself.