Is zoho-inventory safe?

https://clawhub.ai/byungkyu/zoho-inventory

82
SAFE

This skill is a documentation-only Zoho Inventory API integration that proxies all requests through Maton's managed OAuth gateway (gateway.maton.ai). It contains no executable code, no install hooks, and exhibited no suspicious behavior during installation. The primary risk is the inherent trust placed in the third-party Maton proxy, which receives the user's API key and has full access to Zoho Inventory data, and the broad CRUD permissions on business-critical financial records that a manipulated agent could abuse.

Category Scores

Prompt Injection 72/100 · 30%
Data Exfiltration 78/100 · 25%
Code Execution 90/100 · 20%
Clone Behavior 100/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 65/100 · 5%

Findings (7)

MEDIUM API key sent to third-party proxy -15

The MATON_API_KEY environment variable is transmitted as a Bearer token to gateway.maton.ai and ctrl.maton.ai on every API call. This third-party proxy has full access to the user's Zoho Inventory data and OAuth tokens. While this is the intended design of the managed OAuth pattern, it means all inventory, financial, and contact data flows through Maton's infrastructure.

LOW Cross-skill promotion in description -8

The skill description includes a reference to another skill: 'For other third party apps, use the api-gateway skill (https://clawhub.ai/byungkyu/api-gateway).' This could lead an agent to suggest or install additional skills from the same author, expanding the trust boundary without explicit user consent.

LOW Inline code execution patterns in examples -5

The skill provides numerous Python heredoc examples (python <<'EOF'...EOF) that an LLM agent would execute directly when following the skill's instructions. While these are legitimate API usage examples, they normalize the pattern of the agent running inline code from skill documentation.

MEDIUM Broad destructive CRUD operations on financial data -20

The skill enables full create/read/update/delete operations on business-critical records including invoices, bills, sales orders, purchase orders, and contacts. A manipulated agent could delete inventory, void invoices, create fraudulent orders, or modify vendor/customer contact details, causing significant business harm.

LOW Connection management exposes OAuth session tokens -7

The connection management endpoints return OAuth session URLs (https://connect.maton.ai/?session_token=...) that could potentially be logged or leaked through agent conversation history.

INFO No executable code in repository 0

The skill contains only documentation (SKILL.md), metadata (_meta.json), a license, and origin tracking. No scripts, hooks, submodules, or symlinks are present. The package.json is empty.

INFO Clean installation with no anomalous behavior 0

Monitoring detected no network activity, no process execution, no filesystem changes outside the skill directory, and no firewall violations during installation.