Zoho Recruit

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed Zoho Cliq integration that uses Membrane for authenticated API access, with no evidence of hidden or malicious behavior.

Install this only if you are comfortable connecting your Zoho Cliq account through Membrane. Because the skill can make authenticated API requests, review user prompts carefully before allowing changes such as posting, editing, or deleting records or messages.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The skill explicitly documents a generic authenticated proxy mechanism to the Zoho Recruit API without guardrails about destructive operations, sensitive data access, or confirmation requirements. In a recruiting system containing candidate PII and mutable business records, this can enable overbroad reads, edits, or deletions if the agent uses raw requests instead of constrained actions.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal