Zoho Bigin CRM
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill is relevant to Zoho Bigin CRM, but it should be reviewed because it relies on an unprovided shell CLI, local OAuth credentials, and broad CRM write/raw API authority.
Before installing, make sure you have a trusted copy of scripts/bigin.sh and the OAuth setup documentation, verify the credential file belongs to the intended Bigin account with limited scopes, keep write mode disabled unless you explicitly approve a specific change, and avoid raw API calls unless you have reviewed the exact request.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If invoked incorrectly, the agent could change CRM records in ways that are broader than the user expected.
The skill exposes a raw API path that can bypass the safer named commands and perform CRM mutations with arbitrary endpoints/payloads when BIGIN_WRITE is set.
### Raw API (escape hatch)
```bash
bash scripts/bigin.sh raw GET "/Pipelines?fields=Deal_Name,Stage&per_page=10"
BIGIN_WRITE=1 bash scripts/bigin.sh raw PUT "/Pipelines/<id>" '{"data":[{"Stage":"Won"}]}'
```Use named read-only commands by default, require explicit user confirmation for every write, and avoid raw API calls unless the exact endpoint and payload are reviewed.
Installing or using the skill may give the agent access to the user's Bigin account even though the credential requirement is not surfaced in the registry metadata.
The skill uses a local OAuth credential/session file and refreshes tokens, while the registry metadata declares no primary credential, required env vars, or config paths.
Credentials: `~/.bigin-oauth.json` (or set `BIGIN_CREDS_FILE`). See README.md for OAuth setup. ... Tokens auto-refresh (1h lifetime). If token errors occur, the CLI auto-refreshes and retries.
Declare the credential/config path in metadata, use least-privilege OAuth scopes, and confirm which account and scopes the credential file grants before use.
The agent may be directed to run code that is absent from the reviewed package or supplied from an unknown local/source context.
The instructions depend on a shell helper and setup materials, but the supplied artifact set contains only SKILL.md with no scripts, install spec, README, or dependency declarations to verify how the CLI handles credentials and CRM writes.
CLI: `bash scripts/bigin.sh <command> [args...]` Map: `bigin-map.json` (auto-generated, refresh with `bigin.sh map`) ... Required on host: `curl`, `jq`, `python3` (for map generation and stage validation).
Provide the referenced scripts and setup files in the package, pin or document dependencies, and ensure the agent runs only the reviewed helper from a trusted skill path.
A stale or modified map could lead the agent to use incorrect CRM fields or stages during updates.
The skill creates and reuses a local CRM metadata map, which is purpose-aligned but persistent and could become stale or tampered with if used for stage validation or updates.
Map: `bigin-map.json` (auto-generated, refresh with `bigin.sh map`) ... Run `bash scripts/bigin.sh map` to discover your org's layouts, stages, sub-pipelines, and field definitions.
Store the map in a trusted location, refresh it before important updates, and confirm stage/field choices with the user before writing.