zoho-support-claw
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill appears to perform the stated Zoho/OpenAI support workflow, but it needs Review because it stores full customer ticket text locally and processes ticket content through OpenAI.
Before installing, confirm that your organization allows Zoho ticket contents to be sent to OpenAI and stored locally. Use a least-privilege Zoho token, protect the .env file, review data/embeddings.json as sensitive, and add cleanup/redaction practices before using this with real customer data.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Customer support conversations, resolutions, and requester details may remain in a local JSON file and be reused in later draft-generation prompts.
Historical ticket content and requester metadata are stored for later retrieval, not just embeddings. This is sensitive business/customer data persistence that is only partially described in the docs.
text: (t.subject||'') + '\n' + (t.description||'') + '\n' + (t.resolution||''),
meta: { requester: t.contact, closed_at: t.modifiedTime }Disclose that raw ticket text is stored, add retention/cleanup controls, support redaction or filtering, and consider storing only the minimum needed data.
Ticket contents may be transmitted to OpenAI, which can matter for customer privacy, contractual restrictions, or regulated support data.
Open ticket details and retrieved historical-ticket context are sent to OpenAI to generate draft replies. This is purpose-aligned, but users should understand the external data flow.
const user = `Ticket subject: ${ticket.subject}\nTicket description: ${ticket.description}\nContext: ${context}`;
const resp = await client.chat.completions.create({Confirm OpenAI use is allowed for the support data, add an explicit disclosure/approval step for sensitive tickets, and redact secrets or personal data where possible.
A Zoho OAuth token can grant access to support tickets, and an OpenAI key can incur usage and expose sent ticket data to the configured provider.
The skill requires account credentials for Zoho and OpenAI. This is expected for the integration, but the registry metadata lists no required environment variables or primary credential.
Configure .env with ZOHO_TOKEN and OPENAI_API_KEY
Use least-privilege Zoho credentials, protect the .env file, rotate tokens if exposed, and declare the required environment variables in the skill metadata.
Future installs may resolve different dependency versions than the author tested.
The skill depends on npm packages using semver ranges, and the provided manifest does not include a lockfile. This is common, but it leaves exact installed versions to resolution time.
"dependencies": {
"axios": "^1.4.0",
"dotenv": "^16.0.0",
"openai": "^4.0.0",
"pino": "^8.0.0"
}Include a lockfile or pinned dependency versions, and install from a trusted environment.