Is zoho-recruit safe?

https://clawhub.ai/byungkyu/zoho-recruit

72
CAUTION

This skill is a documentation-only Zoho Recruit API integration that routes all traffic through a third-party proxy (maton.ai). It contains no executable code or malicious payloads, but the architectural dependency on maton.ai means the user's API credentials and all recruitment data (candidate PII, interviews, job openings) flow through an intermediary with full read/write access. The install process accessed sensitive files (.aws/credentials, .env) which may be standard runtime behavior but warrants caution.

Category Scores

Prompt Injection 68/100 · 30%
Data Exfiltration 60/100 · 25%
Code Execution 85/100 · 20%
Clone Behavior 75/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 55/100 · 5%

Findings (9)

HIGH All API traffic routed through third-party proxy -30

Every API call sends the user's MATON_API_KEY to gateway.maton.ai and ctrl.maton.ai rather than directly to Zoho. This third-party intermediary has full access to all recruitment data including candidate PII, interview details, and job openings. The proxy operator can read, log, or modify all traffic.

MEDIUM Inline executable code blocks designed for agent execution -15

The SKILL.md contains numerous Python heredoc code blocks (python <<'EOF'...EOF) that the agent is expected to execute directly. While these currently contain legitimate API calls, this pattern gives the skill author significant control over code the agent runs. A malicious update could inject arbitrary Python code that would be executed with the agent's full permissions.

MEDIUM Cross-skill promotion in description -10

The skill description promotes another skill (api-gateway) with a direct clawhub.ai URL, potentially leading to cascading trust and installation of additional unreviewed skills.

MEDIUM Troubleshooting instructs printing API key -10

The troubleshooting section includes 'echo $MATON_API_KEY' which, if the agent follows this instruction, would expose the secret API key in the conversation output or logs.

MEDIUM Install process accessed sensitive files -25

During installation, the filesystem monitor recorded reads to .env, .aws/credentials, .openclaw/openclaw.json, and auth-profiles.json. While some may be standard ClawdBot runtime behavior, the access to .aws/credentials is notable and warrants caution.

LOW Skill requests broad permissions beyond stated scope -7

The skill declares it needs 'network access' broadly, and the API provides full CRUD operations including DELETE on candidates, job openings, interviews, and other modules. This is a wide surface area for potential misuse.

INFO No executable code in package -5

The skill contains only documentation files (SKILL.md, _meta.json, LICENSE.txt, origin.json, lock.json). No JavaScript, Python, shell scripts, or other executable files are bundled.

INFO No git hooks, submodules, or symlinks -10

The skill package contains no .githooks, .gitattributes filters, .gitmodules, or symbolic links that could execute code during clone or checkout.

INFO Proxy gateway creates single point of failure and trust -45

Users must trust maton.ai as an intermediary for all their Zoho Recruit operations. If maton.ai is compromised, goes offline, or acts maliciously, all recruitment data operations are affected. There is no way to use this skill with direct Zoho API access.