Is byungkyu/zoho-crm safe?

Every API call to Zoho CRM is routed through gateway.maton.ai rather than directly to Zoho's endpoints. All CRM records—leads, contacts, accounts, deals, organization details, user PII, license details, roles, and profiles—are transmitted through and visible to Maton's servers. Users must implicitly trust Maton as a data processor for their entire CRM dataset. While transparently stated in the skill, users may not fully appreciate that a third party sees all CRM read/write operations in perpetuity.

Maton manages OAuth connections at ctrl.maton.ai and injects live OAuth tokens server-side for every proxied request. This means Maton stores the user's Zoho CRM OAuth refresh tokens and has the ability to issue authenticated requests to Zoho on the user's behalf at any time, independent of the user's agent. The user cannot audit how these tokens are used or revoke them without disconnecting from Maton entirely.

The SKILL.md description field—which is injected verbatim into the agent's system prompt at skill load time—contains an explicit instruction to use another Maton skill for other API integrations: 'For other third party apps, use the api-gateway skill (https://clawhub.ai/byungkyu/api-gateway).' This is not a passive resource link but an active directive in the system prompt that could cause the agent to recommend or initiate installation of an additional Maton-controlled skill, expanding Maton's data access surface beyond Zoho CRM.

The SKILL.md contains dozens of Python code blocks using heredoc syntax (python <<'EOF'...EOF) intended for direct agent execution. Each block reads MATON_API_KEY from the process environment and makes outbound HTTPS requests to maton.ai. While the current snippets implement legitimate API calls, this pattern means the agent executes code directly from the skill file. Any unauthorized modification to the skill file could introduce malicious payloads in these blocks without changing the skill's stated purpose.

Because Maton stores OAuth tokens and proxies all CRM operations, a breach of Maton's infrastructure would immediately grant attackers complete read/write access to the user's Zoho CRM without needing to compromise the user's systems, agent, or Zoho account directly. The user's CRM security posture is now coupled to Maton's security posture indefinitely.

All Zoho CRM integration through this skill requires a valid MATON_API_KEY and active Maton subscription. Changes to Maton's pricing, terms of service, availability, or shutdown would immediately break all CRM functionality for users of this skill. There is no fallback to direct Zoho API access within the skill's design.

Installation performed only expected git operations: sparse clone from github.com (140.82.121.3:443), checkout of skills/byungkyu/zoho-crm subpath, file copy to skill directory, cleanup of /tmp/monorepo-clone. No unexpected network connections to Maton or other external hosts, no unexpected process spawning, and no filesystem writes outside the designated skill directory were observed during install.

Honeypot files including .env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, and .config/gcloud/application_default_credentials.json were accessed read-only by the oathe monitoring framework during setup and post-install verification, but were not modified or transmitted to any external endpoint. No local credential harvesting was detected.