Zoho People
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If used incorrectly, the agent could create, update, or delete HR data such as employee, attendance, or leave records.
The skill can perform high-impact HR record operations, including writes. This matches the Zoho People management purpose, and the artifact also says write operations require explicit user approval.
Manage employees, departments, designations, attendance, leave, and custom HR forms with full CRUD operations.
Approve only specific, reviewed write actions; confirm the target employee or record and intended effect before allowing changes.
Anyone or any agent with the Maton API key may be able to access the linked Zoho People data according to the connected account permissions.
The skill requires a Maton API key that is used to access the connected Zoho People account. This is expected for the integration but grants delegated authority to sensitive HR data.
All requests require the Maton API key in the Authorization header: Authorization: Bearer $MATON_API_KEY
Use the least-privileged Zoho/Maton account available, keep MATON_API_KEY secret, rotate it if exposed, and remove unused connections.
HR request and response data may flow through Maton's gateway while interacting with Zoho People.
Zoho People API traffic and OAuth handling pass through the Maton gateway. This is disclosed and central to the skill, but it is a sensitive third-party data boundary.
Maton proxies requests to `people.zoho.com` and automatically injects your OAuth token.
Verify that Maton is an acceptable processor for your HR data and use the `Maton-Connection` header when multiple connections exist.
Users have less registry-level information for confirming who maintains the skill before connecting an HR system.
The registry metadata does not provide a source repository or homepage, which limits provenance checks. There is no code or install script in this artifact set, so this is a verification note rather than evidence of malicious behavior.
Source: unknown; Homepage: none
Verify the publisher and Maton service independently before authorizing Zoho People access.