Zoho mail skill

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward Zoho Mail helper that uses disclosed Zoho OAuth credentials to read and search mailbox data, with no evidence of hidden execution or unrelated data sharing.

Install only for Zoho accounts you are authorized to access. Use the narrow read-only scopes shown, avoid printing full message bodies unless needed, keep the client secret and refresh token out of logs or shared chats, and revoke or rotate the refresh token when you no longer need access.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 72% confidence
Finding: The skill immediately guides users to fetch mailbox contents and message bodies without a prominent privacy warning about exposing sensitive email data in terminal output, logs, or chat transcripts. In an agent setting, this can lead to inadvertent disclosure of personal, confidential, or regulated information even though the API usage itself is legitimate.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal