ClawHub

ZohoProject

v1.0.0

Manage Zoho Projects — list portals/projects, create/update/complete tasks, add comments, log time, manage milestones, and query your task list. Requires ZOH...

0· 100·0 current·0 all-time
by@katprotech
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description match the required env vars and the SKILL.md shows only Zoho Projects API calls (listing portals/projects, tasks, milestones, time logs). Required vars (ZOHO_ACCESS_TOKEN, ZOHO_PORTAL_ID) are appropriate for the stated purpose.
Instruction Scope
SKILL.md instructs only Zoho API calls and standard OAuth token refresh flows. It does not request reading unrelated system files or unrelated credentials. It does instruct storing refreshed tokens into the agent config (openclaw config set), which is reasonable for persistence of OAuth tokens.
Install Mechanism
No install spec or code files are present (instruction-only). No binaries or external downloads are required.
Credentials
Declared env vars are limited to Zoho access/refresh tokens, optional client id/secret, portal id, and an optional datacenter domain — all relevant to Zoho OAuth and API usage. No unrelated secrets or services are requested.
Persistence & Privilege
always:false and autonomous invocation is allowed (default). The skill asks the agent to save a refreshed access token with `openclaw config set skills.entries.zoho-projects.apiKey`, which writes the token to the agent's config under the skill's own entry — this is expected behavior for keeping an expiring OAuth token available but means a token may be persisted in the agent config and should be protected accordingly.
Assessment
This skill appears to do exactly what it says: call Zoho Projects APIs using the provided ZOHO_ACCESS_TOKEN and ZOHO_PORTAL_ID. Before installing: 1) Be comfortable with the agent storing the refreshed access token in its config (it writes to skills.entries.zoho-projects) — ensure that storage location is acceptable and access to the agent config is restricted. 2) Prefer providing only the minimal OAuth scopes and avoid supplying client_secret/refresh_token unless you want the skill to auto-refresh tokens. 3) Remember tokens expire hourly; if you do supply refresh credentials, they are sensitive and should be rotated if the skill is removed. 4) If you do not want the skill to call Zoho APIs autonomously, disable/limit autonomous invocation in your agent settings. Overall the skill is internally consistent with its stated purpose.

Like a lobster shell, security has layers — review code before you run it.

latestvk97e2qapfz38fmnpra3djb7x1583haze

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

📋 Clawdis
EnvZOHO_ACCESS_TOKEN, ZOHO_PORTAL_ID
Primary envZOHO_ACCESS_TOKEN

Comments