Is zoho-crm safe?

https://clawhub.ai/byungkyu/zoho-crm

78
CAUTION

This is a documentation-only skill that provides Zoho CRM API integration through Maton's OAuth gateway proxy. It contains no executable code, install hooks, or malicious payloads, and installation monitoring was completely clean. The primary concern is that all CRM data (including customer PII) is routed through Maton's third-party infrastructure rather than directly to Zoho, requiring users to trust an additional intermediary. The skill also normalizes the pattern of agents executing inline Python code that sends environment secrets to external services.

Category Scores

Prompt Injection 72/100 · 30%
Data Exfiltration 70/100 · 25%
Code Execution 85/100 · 20%
Clone Behavior 100/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 55/100 · 5%

Findings (9)

MEDIUM All CRM data routed through third-party proxy -20

Every API call routes through gateway.maton.ai rather than directly to Zoho's API. This means all CRM data (customer PII, deals, contacts, accounts) transits through Maton's infrastructure. The MATON_API_KEY is sent to Maton on every request. Users must fully trust Maton as an intermediary with visibility into all their CRM operations.

MEDIUM Cross-skill reference encourages additional skill installation -10

The skill description explicitly references and links to another skill (api-gateway) by full ClawHub URL, encouraging users to install additional skills from the same author. This could be used to expand the attack surface by chaining skills.

MEDIUM Embedded executable Python code templates -10

The SKILL.md contains over 20 inline Python code blocks using heredoc syntax that the agent is expected to copy and execute. While each block performs legitimate API calls, this pattern normalizes the agent executing network-calling code provided by skill authors, which could be exploited by a malicious skill using similar patterns.

LOW Session tokens exposed in OAuth connection URLs -5

The connection creation flow returns URLs containing session tokens (connect.maton.ai/?session_token=...) that could be logged by the agent, appear in shell history, or be leaked through other means.

LOW Skill conditions agent to send env secrets to external services -8

The skill teaches the agent to read MATON_API_KEY from the environment and send it as a Bearer token to third-party endpoints. While this is the intended auth mechanism, it establishes a behavioral pattern where the agent is comfortable sending environment secrets to external URLs specified in skill instructions.

LOW Troubleshooting instructs echoing API key -5

The troubleshooting section tells users to run 'echo $MATON_API_KEY' which could leak the key to terminal logs, shell history, or monitoring tools.

INFO No executable code or install hooks present 0

The skill repository contains only documentation files (SKILL.md, _meta.json, LICENSE.txt, origin.json). No JavaScript, Python, shell scripts, npm install hooks, git hooks, submodules, or symlinks are present.

INFO Clean installation with no side effects 0

Monitoring detected zero filesystem events, network connections, process executions, or firewall blocks during installation. The skill installed cleanly with no observable side effects.

INFO Destructive CRM operations available -5

The skill provides templates for DELETE operations on CRM records and OAuth connections. While these are legitimate CRM operations, an agent misinterpreting user intent could accidentally delete important business data.