Zoho Bookings
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: zoho-bookings Version: 1.0.3 The zoho-bookings skill provides a standard integration for managing Zoho Bookings via a managed OAuth proxy service (api.maton.ai). The SKILL.md file contains legitimate API documentation and Python snippets for interacting with workspaces, services, and appointments using a MATON_API_KEY. No evidence of data exfiltration, malicious execution, or prompt injection was found; the code logic is consistent with the stated purpose of the skill.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If misused, the agent could create, update, or delete booking-related records in the connected Zoho Bookings account.
The skill can perform create, read, update, and delete actions against Zoho Bookings resources. This is expected for the stated integration, but write actions can affect real scheduling/business data.
Manage appointments, services, staff, and workspaces with full CRUD operations.
Only approve write operations after checking the target workspace, service, staff member, or appointment and the intended change.
Anyone or any agent action using the API key may be able to access the connected Zoho Bookings integration according to the account’s permissions.
The skill requires a Maton API key and uses managed OAuth to act on the user's Zoho Bookings account. This delegated authority is necessary for the integration but sensitive.
All requests require the Maton API key in the Authorization header: Authorization: Bearer $MATON_API_KEY
Keep the MATON_API_KEY private, use the intended Zoho connection, and revoke or rotate credentials if they are exposed.
Zoho Bookings requests and responses may pass through Maton’s infrastructure, so trust in that service is required.
Requests flow through the Maton API gateway before reaching Zoho, and Maton manages the OAuth token. This is clearly disclosed and central to the skill’s design, but it means booking data and delegated access depend on that third-party service.
Maton proxies requests to `www.zohoapis.com/bookings/v1/json` and automatically injects your OAuth token.
Use this skill only if you trust Maton to handle the Zoho OAuth connection and booking data; review and delete unused connections.