Zendesk
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: zendesk Version: 1.0.0 The skill's core functionality aligns with its stated purpose of managing Zendesk, with all API calls directed at legitimate Zendesk endpoints. However, it stores sensitive API credentials (Zendesk subdomain, email, and API token) in plain text within `~/zendesk/memory.md`, as explicitly detailed in `SKILL.md`, `memory-template.md`, and `setup.md`. This practice represents a significant vulnerability, as these credentials could be exposed to other local processes or unauthorized users if the file permissions are not strictly enforced. While there is no evidence of intentional malicious activity or exfiltration to unauthorized third parties, this insecure credential storage method makes the skill suspicious due to the high risk of credential compromise.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone using this skill should understand that the agent can act in Zendesk with the permissions of the supplied API token.
The skill requires Zendesk account credentials and an API token, which are expected for Zendesk API access but give the agent delegated account authority.
You need three things to connect: ... Email ... API Token — From Admin > Channels > API
Use a least-privilege Zendesk API token, rotate it if shared in chat, and revoke it if the skill is no longer needed.
Incorrect or overly broad commands could update multiple support tickets or customer-facing records.
The documented API operations include bulk ticket mutation. This is aligned with Zendesk management, and SKILL.md tells the agent to confirm destructive actions, but the capability can still affect business support records.
Bulk Update
curl -X PUT "$BASE/tickets/update_many.json?ids=1,2,3" ... -d '{"ticket": {"status": "solved"}}'Review ticket IDs, query scopes, public/private comment settings, and bulk actions before approving changes.
A locally stored Zendesk token could be reused in future sessions or exposed if the local file is read by someone else.
The skill recommends storing Zendesk credentials in a persistent local memory file. This is disclosed and purpose-aligned, but the token is sensitive persistent context.
Create `~/zendesk/memory.md` ... ## Credentials subdomain: email: token:
Prefer environment variables or a secure secret manager when possible; restrict file permissions on ~/zendesk/memory.md and avoid storing unnecessary ticket exports.