Is zoho-calendar safe?

https://clawhub.ai/byungkyu/zoho-calendar

82
SAFE

The zoho-calendar skill is a legitimate Zoho Calendar API integration that routes all traffic through Maton's OAuth proxy gateway. It contains no malicious code, prompt injection attempts, or dangerous installation behavior. The primary risk is the trust requirement on Maton as a third-party intermediary that has full access to the user's calendar data and OAuth tokens. The cross-reference to another skill (api-gateway) mildly expands potential attack surface.

Category Scores

Prompt Injection 75/100 · 30%
Data Exfiltration 78/100 · 25%
Code Execution 85/100 · 20%
Clone Behavior 90/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 70/100 · 5%

Findings (7)

MEDIUM All API traffic routed through third-party proxy -15

Every Zoho Calendar API call is proxied through gateway.maton.ai rather than going directly to calendar.zoho.com. This gives the Maton service full visibility into all calendar data including event titles, descriptions, attendees, and scheduling information. Users must trust both Zoho and Maton with their calendar data.

MEDIUM Cross-references external skill for expanded functionality -15

The skill description explicitly directs users to install another skill (api-gateway) for other third-party apps. This skill-chaining pattern could expand the attack surface if the referenced skill is compromised or malicious. The reference appears in the YAML frontmatter description field which is injected into agent system prompts.

LOW Broad tool permission requirements -10

The skill requires network access and environment variable access (MATON_API_KEY). While appropriate for its stated purpose, these permissions are broad enough that a compromised skill update could leverage them for data exfiltration without requiring new permissions.

LOW OAuth token managed by third party -7

The user's Zoho OAuth token is stored and managed by Maton's infrastructure (ctrl.maton.ai for connection management, gateway.maton.ai for token injection). The user never sees or controls their own OAuth token directly, relying entirely on Maton's security practices.

INFO Inline Python code examples use shell execution -5

The skill provides Python code examples using heredoc syntax (python <<'EOF') that the agent will execute. While these are standard API call patterns and do not contain malicious logic, they establish a pattern of shell-executed Python which could be dangerous if skill content were tampered with.

INFO Runtime environment reads sensitive files during bootstrap -10

The OpenClaw runtime (not the skill itself) read .env, .aws/credentials, and various config files during installation. This is standard runtime behavior but means the execution environment has access to sensitive credentials.

INFO Calendar data exposure through proxy architecture -30

If this skill is active and a user asks the agent to manage their calendar, all event data (including potentially sensitive meeting details, attendee lists, and scheduling patterns) flows through Maton's servers. A sophisticated attacker controlling Maton infrastructure could harvest organizational intelligence from calendar metadata.