Back to skill

Security audit

Zoho Bigin

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed Zoho Bigin CRM integration that uses Maton-managed OAuth, with one scoping documentation mismatch to review but no evidence of hidden or malicious behavior.

Install only if you are comfortable giving the skill access to the connected Zoho Bigin CRM data through Maton. Review the Zoho/Maton OAuth scopes and treat create, update, or delete actions as business-data mutations that should be user-approved before execution.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (1)

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The manifest and description scope the skill to contacts, companies, pipelines, and products, but the documentation exposes additional modules such as Tasks, Events, Calls, Notes, plus users and metadata endpoints. This creates a capability mismatch that can lead an agent or user to access broader CRM data than expected, weakening least-privilege assumptions and consent boundaries.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.