ClawHub

Zoho Mail

v0.2.1

Full read/write Zoho Mail access for OpenClaw agents

0· 96·0 current·0 all-time
by@panthrocorp
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description match the code and SKILL.md. Required env vars (ZOHO_MAIL_TOKEN_KEY, ZOHO_CLIENT_ID, ZOHO_CLIENT_SECRET) are exactly those used by the OAuth flow and local token encryption. Required binary 'zoho-mail' aligns with the provided Go source which builds that binary.
Instruction Scope
SKILL.md instructs the agent to run the zoho-mail CLI commands described in the code (auth, mail, folders, config). The runtime instructions only reference the declared env vars and the local config directory; there are no instructions to read unrelated system files, other skills' configs, or to transmit data to unexpected endpoints. OAuth flow is interactive and requires pasting the redirect URL.
Install Mechanism
There is no install spec in the registry (instruction-only), but full Go source files are included and README shows how to build the 'zoho-mail' binary. This is reasonable but means the operator must build or install the binary themselves — verify build steps and binary provenance before running.
Credentials
The skill requests three env vars which are appropriate: client ID/secret for OAuth and an encryption passphrase for storing tokens. No unrelated credentials or excessive environment access is requested. The tool refuses to store tokens without ZOHO_MAIL_TOKEN_KEY, which is a reasonable safety check.
Persistence & Privilege
always:false (default) and the binary only persists an encrypted token under its own config directory (default ~/.openclaw/credentials/zoho-mail). It does not modify other skills or system-wide settings. Token refreshes are saved to the same encrypted file by design.
Assessment
This skill appears to do what it claims (a full read/write Zoho Mail CLI). Before installing, verify these items: 1) Protect the three secrets (ZOHO_CLIENT_ID, ZOHO_CLIENT_SECRET, ZOHO_MAIL_TOKEN_KEY) in your secret manager — the client secret and encryption key should be treated as sensitive. 2) The skill grants full mailbox read/write/delete ability; only install if you trust the operator and agent that will use it. 3) Because there is no automated install spec, build the included Go source yourself (or verify the supplied binary) to ensure no tampering; follow reproducible build practices if possible. 4) The OAuth flow asks an operator to paste the full redirect URL (containing the code) into the terminal — be sure to paste it only into a trusted terminal. 5) To fully revoke access, delete the local token and also revoke sessions in Zoho. If you need a lower-risk option, consider a variant restricted to read-only scopes (this skill explicitly uses full write scopes).

Like a lobster shell, security has layers — review code before you run it.

latestvk975tgt5vqe9gn9p8rvb5p6hgn83x4wd

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

📬 Clawdis
OSLinux
Binszoho-mail
EnvZOHO_MAIL_TOKEN_KEY, ZOHO_CLIENT_ID, ZOHO_CLIENT_SECRET

Comments