Zoho Inventory
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: zoho-inventory Version: 1.0.4 The skill bundle provides a legitimate integration for Zoho Inventory via the Maton API gateway (api.maton.ai). It includes comprehensive documentation for CRUD operations on inventory items, orders, and contacts. Crucially, it contains explicit instructions in SKILL.md for the AI agent to obtain user approval before performing any write operations. No indicators of malicious intent, such as data exfiltration or unauthorized execution, were found.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An approved write action could change or delete business records or create financial/order documents in the connected Zoho Inventory account.
The skill can create, update, and delete important Zoho Inventory business records. This is aligned with the skill purpose, but mistakes could affect orders, invoices, bills, or inventory.
Manage items, sales orders, invoices, purchase orders, bills, contacts, shipment orders, and item groups with full CRUD operations.
Use explicit confirmation for every write or delete, verify the Zoho connection and target resource, and prefer read-only requests when possible.
Anyone with the Maton API key may be able to use the connected Zoho Inventory authorization according to the account’s permissions.
The skill requires a bearer API key that enables authenticated access through Maton. This is expected for the integration, but it is a sensitive credential.
All requests require the Maton API key in the Authorization header: Authorization: Bearer $MATON_API_KEY
Keep MATON_API_KEY secret, rotate it if exposed, and use the least-privileged Maton/Zoho account suitable for the task.
Inventory, customer/vendor, order, invoice, and bill data may pass through the Maton service while using the skill.
Zoho Inventory API traffic and OAuth handling go through the Maton gateway. This is disclosed and purpose-aligned, but it means Maton is part of the sensitive data path.
Maton proxies requests to `www.zohoapis.com/inventory/v1` and automatically injects your OAuth token.
Install only if you trust Maton with this Zoho Inventory connection, and review Maton’s access, audit, and revocation controls.
Users have less registry-provided context for verifying who maintains the skill before granting API-key-backed access.
The registry metadata does not provide a source repository or homepage. There is no code to install, but provenance is still relevant because the skill directs use of a credentialed third-party service.
Source: unknown; Homepage: none
Verify the publisher and Maton service independently before connecting a production Zoho Inventory account.