Zoho Analytics
Security checks across static analysis, malware telemetry, and agentic risk
Overview
The Zoho Analytics integration is mostly coherent, but it needs review because it enables broad authenticated API calls, including destructive methods, without clear approval or scope limits in the provided instructions.
Review this skill before installing if your Zoho Analytics account contains important business data. Use a limited-scope account or workspace, approve any mutating or delete operations explicitly, and be aware that the Membrane CLI and proxy handle authentication and API traffic.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An ambiguous or mistaken agent action could change or delete Zoho Analytics business data through the user's authenticated connection.
This exposes a broad authenticated API escape hatch, including destructive methods, without clear approval or scope limits in the provided instructions.
When the available actions don't cover your use case, you can send requests directly to the Zoho Analytics API through Membrane's proxy... `-X, --method` | HTTP method (GET, POST, PUT, PATCH, DELETE).
Prefer listed Membrane actions, require explicit user confirmation before POST/PUT/PATCH/DELETE or bulk operations, and use a least-privilege Zoho connection where possible.
Using the skill authorizes Membrane and the agent workflow to act against the connected Zoho Analytics account.
The skill relies on delegated account authentication and credential refresh, which is expected for Zoho integration but grants continuing access through Membrane.
This skill uses the Membrane CLI to interact with Zoho Analytics. Membrane handles authentication and credentials refresh automatically
Connect only the intended Zoho account/workspace, review granted permissions, and revoke the connection when it is no longer needed.
The installed CLI version may change over time and will run locally with the user's privileges.
The skill asks the user to install a global CLI package from npm using the moving @latest tag. This is central to the skill's purpose, but the exact installed code is not pinned in the artifact.
npm install -g @membranehq/cli@latest
Install the CLI only from the expected Membrane/npm source, consider pinning a known version, and keep it updated through trusted channels.
Zoho Analytics request and response data may pass through Membrane while using the integration.
Zoho API traffic and authenticated requests are routed through Membrane as a gateway, which is disclosed and purpose-aligned but is an important data boundary.
send requests directly to the Zoho Analytics API through Membrane's proxy. Membrane automatically appends the base URL... and injects the correct authentication headers
Avoid sending unnecessary sensitive data, verify Membrane's data handling terms, and use only the connection needed for the task.