Is zoho-people safe?

https://clawhub.ai/byungkyu/zoho-people

72
CAUTION

This is a documentation-only skill with no executable code, clean clone behavior, and intact canary files. However, it routes ALL Zoho People API traffic (including sensitive HR/PII data) through a third-party proxy (maton.ai) that holds OAuth tokens server-side, creating significant data exposure risk. The skill also cross-promotes additional skills from the same author that use the same proxy infrastructure, and contains numerous executable code templates that send credentials to the proxy.

Category Scores

Prompt Injection 62/100 · 30%
Data Exfiltration 55/100 · 25%
Code Execution 85/100 · 20%
Clone Behavior 95/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 45/100 · 5%

Findings (9)

HIGH All API traffic proxied through third-party (maton.ai) -30

Every API call routes through gateway.maton.ai rather than directly to people.zoho.com. This gives the maton.ai proxy full access to read and log all HR data including employee PII, attendance records, leave data, and organizational structure. The user's MATON_API_KEY is sent as a Bearer token on every request, and OAuth tokens are managed server-side by maton.ai.

HIGH OAuth connection management grants persistent third-party access -15

The ctrl.maton.ai connection management endpoints allow creating, listing, and managing OAuth connections to Zoho People. Once an OAuth connection is created, maton.ai holds the refresh tokens server-side, giving them persistent access to the user's Zoho People account even if the user later removes the skill.

MEDIUM Cross-skill promotion to api-gateway skill -15

The skill description includes 'For other third party apps, use the api-gateway skill (https://clawhub.ai/byungkyu/api-gateway)' which encourages the agent to install additional skills from the same author, expanding the attack surface through the same maton.ai proxy infrastructure.

MEDIUM Executable code blocks designed for agent execution -13

SKILL.md contains over 20 Python heredoc code blocks using python <<'EOF' pattern that read environment variables (MATON_API_KEY) and make HTTP requests to maton.ai infrastructure. When injected into an agent's system prompt, the agent will execute these code patterns, sending credentials to the third-party proxy.

MEDIUM Skill establishes multiple trusted external domains -10

The skill normalizes agent communication with four distinct maton.ai subdomains (gateway.maton.ai, ctrl.maton.ai, connect.maton.ai, maton.ai) as trusted endpoints. This trains the agent to treat these domains as safe, which could be exploited if the skill content is later modified.

LOW CRUD operations on sensitive HR data through proxy -20

The skill provides full create, read, update capabilities on employee records, departments, designations, leave, and attendance data. All modifications pass through the maton.ai proxy, which could log, alter, or deny operations. A compromised or malicious proxy could silently modify HR data.

LOW Scope creep risk from managed OAuth model -10

The skill mentions that some operations require 'additional OAuth scopes' and directs users to contact [email protected]. This creates a pathway for incremental scope expansion where the third-party progressively gains more access to the user's Zoho account.

INFO Host framework reads sensitive files during install -5

Filesystem monitoring shows the host agent framework (not the skill) accessed .env, .aws/credentials, .openclaw/openclaw.json, .profile, and .bashrc during the install process. These are framework behaviors, not skill-initiated, but are noted for completeness.

INFO No executable code in skill repository -5

The skill contains only markdown (SKILL.md), metadata JSON files, and a LICENSE. No JavaScript, Python, shell scripts, or other executable files are present in the repository. No package.json, no install scripts, no git hooks.