Zoho Inventory

Security checks across malware telemetry and agentic risk

Overview

This appears to be a legitimate Zoho Inventory integration, but it gives broad authenticated power to change business records without clear approval safeguards.

Review before installing. Use a least-privilege Zoho account, prefer predefined Membrane actions over raw API proxy requests, and require the agent to show the exact action or HTTP method, endpoint, and body before any create, update, delete, shipment, purchase, or payment operation.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Vague Triggers

Medium

Confidence: 88% confidence
Finding: The skill description is very broad: 'Use when the user wants to interact with Zoho Inventory data.' That can cause an agent to invoke this skill in many loosely related situations, increasing the chance of unnecessary external access, unintended data exposure, or actions being taken against the wrong system without tighter scoping.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal