Is zoho-mail safe?

https://clawhub.ai/byungkyu/zoho-mail

72
CAUTION

This is a documentation-only skill that provides Zoho Mail API integration through the Maton gateway (maton.ai). It contains no executable code or malicious payloads, and canary files were untouched. However, it routes all email data through a third-party proxy, grants an LLM agent full email send/read/delete capabilities that could be abused via prompt injection, and cross-promotes installation of additional skills. The inherent risk lies not in the skill's code, but in the broad permissions it grants an AI agent over sensitive email communications via a third-party intermediary.

Category Scores

Prompt Injection 70/100 · 30%
Data Exfiltration 55/100 · 25%
Code Execution 90/100 · 20%
Clone Behavior 85/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 45/100 · 5%

Findings (8)

HIGH All email data routes through third-party proxy (maton.ai) -25

Every API call — reading emails, sending messages, downloading attachments — is proxied through gateway.maton.ai. This third-party intermediary handles OAuth token injection and has access to all email content in transit. Users must trust both Zoho and Maton with their email data.

HIGH Full email CRUD enables agent-mediated email abuse -40

The skill grants an LLM agent the ability to send emails from the user's account, read all messages, delete emails, and manage folders. A prompt injection attack or social engineering could cause the agent to send phishing emails, forward sensitive correspondence to attackers, or delete evidence of compromise.

MEDIUM Cross-promotion of another skill with direct install URL -15

The skill description includes 'For other third party apps, use the api-gateway skill (https://clawhub.ai/byungkyu/api-gateway)' which could prompt an agent to install additional skills, expanding the attack surface without explicit user consent.

MEDIUM Inline executable code templates encourage uncritical execution -15

The SKILL.md contains over 20 python heredoc code blocks designed to be copy-pasted and executed. An LLM agent following these templates would execute network requests to maton.ai endpoints without additional verification, establishing a pattern of trusting and running embedded code.

MEDIUM Single API key unlocks all connected services -20

The MATON_API_KEY environment variable is a master credential that provides access to all Maton-connected services, not just Zoho Mail. If this key is leaked or compromised, all connected OAuth integrations are exposed.

LOW Installation runtime reads sensitive dotfiles -15

During installation, the openclaw runtime reads .env, .aws/credentials, .profile, and .bashrc. While this appears to be standard runtime behavior (not skill-initiated), it demonstrates that the installation environment has access to sensitive credentials.

INFO No executable code in skill package 0

The skill contains only SKILL.md, _meta.json, LICENSE.txt, and origin.json. No scripts, hooks, or executable files are present. The package.json is empty. This is a documentation-only skill.

INFO No canary file tampering detected 0

All honeypot files (.env, SSH keys, AWS credentials) remained intact during the audit, indicating no active credential harvesting behavior.