ClawHub

Zoho Bigin CRM

v2.0.0

Zoho Bigin CRM CLI. Search deals, contacts, accounts. Add notes, move deal stages. Use when user asks about CRM, deals, pipeline status, or needs to update B...

0· 223·0 current·0 all-time
byIngo@ingodibella
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill claims to be a Zoho Bigin CLI and documents use of scripts/bigin.sh, bigin-map.json, and an OAuth credentials file (~/.bigin-oauth.json). The registry metadata, however, lists no required binaries, no required env vars, and no required config paths. Expectation: a CLI skill should either bundle the CLI or declare how it will be installed and which credentials/config paths it needs. That mismatch is concerning.
!
Instruction Scope
Runtime instructions instruct the agent to run bash scripts (scripts/bigin.sh) and to read/write config files (bigin-map.json, ~/.bigin-oauth.json) and to auto-refresh tokens. Those actions are coherent with a CRM CLI, but the skill package contains only SKILL.md and no scripts or README. Because the instructions direct the agent to execute local scripts that are not supplied or described, it's unclear what code will run. The instructions also reference environment flags (BIGIN_WRITE, BIGIN_CONFIRM, BIGIN_CREDS_FILE) that gate write/delete behavior but these variables are not declared in metadata.
!
Install Mechanism
No install spec is provided. For a CLI-style skill, absence of an install or bundled code is acceptable if the environment already provides the CLI, but the SKILL.md references scripts, a README, and map generation logic that are not present in the package and no guidance is given on obtaining them. This gap creates ambiguity about what will be executed at runtime.
!
Credentials
The documented runtime uses an OAuth credentials file (~/.bigin-oauth.json) and several environment flags (BIGIN_CREDS_FILE, BIGIN_WRITE, BIGIN_CONFIRM) — all relevant to CRM access. However, the registry metadata declares no required env vars or primary credential. The skill therefore references sensitive local credentials without declaring them, which is an incoherence and a potential privacy risk if the agent is allowed to read/write those files.
Persistence & Privilege
The skill does not request always:true and has no install actions in the package, so it does not demand elevated persistent privilege on its face. However, the CLI's token auto-refresh behavior implies writing credential state (refresh tokens) to disk; combined with the absent install details and missing declarations about which files are read/written, this is worth verifying before use.
What to consider before installing
Do not install or enable this skill blindly. Before trusting it: (1) verify where scripts/bigin.sh and the README come from — the package contains only SKILL.md and no scripts; (2) confirm whether you already have a trusted Zoho Bigin CLI installed on the host (and from what vendor/source); (3) inspect ~/.bigin-oauth.json and ensure any OAuth tokens are from a trusted setup and that the skill is allowed to read/write them; (4) require explicit documentation of install steps or an official vendor integration; (5) if you allow the skill, restrict write/delete operations (use BIGIN_WRITE gating and require human confirmation) and avoid granting autonomous invocation until you’ve reviewed the actual CLI implementation. If the publisher can provide the missing scripts or an install spec (and declare the credential/config paths), re-run this evaluation.

Like a lobster shell, security has layers — review code before you run it.

latestvk975022vqx2ezwqnfeej3840d1827a5h

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments