ClawHub

Zoho Bigin

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed Zoho Bigin CRM integration, but it uses a Maton API key/OAuth connection and can read or change CRM records, so users should confirm account and write actions carefully.

Before installing, make sure you trust Maton with access to your Zoho Bigin data, store MATON_API_KEY securely, and require clear confirmation before any create, update, delete, or connection-management action.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Risk analysis

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

#
ASI02: Tool Misuse and Exploitation
Medium
What this means

If used incorrectly, the agent could create, update, or delete important CRM data.

Why it was flagged

The skill can perform mutating CRM actions, including deletes, which is expected for the stated CRM-management purpose but can affect business records.

Skill content
Use this skill when users want to read, create, update, or delete CRM records
Recommendation

Approve write/delete actions only after confirming the exact record, account connection, and intended effect.

#
ASI03: Identity and Privilege Abuse
Medium
What this means

Anyone or any agent action with this key may be able to access the connected Bigin CRM account according to the granted connection permissions.

Why it was flagged

The Maton API key is the credential used to access the connected Zoho Bigin account through the managed OAuth service.

Skill content
All requests require the Maton API key in the Authorization header: Authorization: Bearer $MATON_API_KEY
Recommendation

Keep MATON_API_KEY private, use the intended Maton connection, and revoke or rotate the key if it is exposed.

#
ASI07: Insecure Inter-Agent Communication
Low
What this means

CRM data and operations pass through a third-party gateway rather than going directly from the agent to Zoho.

Why it was flagged

CRM requests and responses are routed through the Maton gateway, so the user must trust that provider with the OAuth-mediated data flow.

Skill content
Maton proxies requests to `www.zohoapis.com/bigin/v2` and automatically injects your OAuth token.
Recommendation

Review Maton's security and privacy posture before connecting sensitive CRM data, and avoid sending unnecessary fields.