Zoho Bigin
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: zoho-bigin Version: 1.0.4 The skill provides a legitimate integration for Zoho Bigin CRM via the Maton API gateway (api.maton.ai). It facilitates CRM record management (Contacts, Accounts, Pipelines) using managed OAuth, requiring a MATON_API_KEY environment variable. The Python snippets in SKILL.md are standard API interaction examples using urllib.request and align perfectly with the stated purpose without any signs of data exfiltration, malicious execution, or prompt injection.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If used incorrectly, the agent could create, update, or delete important CRM data.
The skill can perform mutating CRM actions, including deletes, which is expected for the stated CRM-management purpose but can affect business records.
Use this skill when users want to read, create, update, or delete CRM records
Approve write/delete actions only after confirming the exact record, account connection, and intended effect.
Anyone or any agent action with this key may be able to access the connected Bigin CRM account according to the granted connection permissions.
The Maton API key is the credential used to access the connected Zoho Bigin account through the managed OAuth service.
All requests require the Maton API key in the Authorization header: Authorization: Bearer $MATON_API_KEY
Keep MATON_API_KEY private, use the intended Maton connection, and revoke or rotate the key if it is exposed.
CRM data and operations pass through a third-party gateway rather than going directly from the agent to Zoho.
CRM requests and responses are routed through the Maton gateway, so the user must trust that provider with the OAuth-mediated data flow.
Maton proxies requests to `www.zohoapis.com/bigin/v2` and automatically injects your OAuth token.
Review Maton's security and privacy posture before connecting sensitive CRM data, and avoid sending unnecessary fields.