Skillv1.0.0

ClawScan security

Zoho mail skill · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignMar 15, 2026, 11:05 AM

Verdict: Benign
Confidence: high
Model: gpt-5-mini
Summary: The skill is an instruction-only Zoho Mail integration that asks only for curl/jq and the expected Zoho OAuth credentials; its requirements and instructions are consistent with its stated purpose.
Guidance: This skill is internally consistent with a Zoho Mail API integration, but the environment variables it asks for are sensitive OAuth credentials. Only install if you trust the skill source. Recommended precautions: create a dedicated Zoho self-client with minimal scopes, use an account or mailbox with limited data if possible, store the client secret/refresh token in a secure secret store (not a shared shell), and be prepared to revoke the refresh token if you stop trusting the skill. Verify you use the correct regional endpoints for your account. Because the skill is instruction-only (no code is installed), the main risk is credential exposure—ensure the agent runtime and any logs that might contain tokens are protected.

Purpose & Capability: okName, description, required binaries (curl, jq), and required environment variables (ZOHO_CLIENT_ID, ZOHO_CLIENT_SECRET, ZOHO_REFRESH_TOKEN) all align with a Zoho Mail REST-API integration. Nothing requested appears unrelated to reading/ searching/managing Zoho Mail.
Instruction Scope: okSKILL.md contains concrete curl/jq commands that call Zoho auth and mail endpoints and instructs how to obtain and use a refresh token and short-lived access tokens. It does not instruct reading unrelated files, contacting unexpected endpoints, or exfiltrating data to third parties; all network calls target Zoho endpoints (with region variants).
Install Mechanism: okNo install spec or code files are present (instruction-only). This minimizes on-disk code risk; it only requires that curl and jq are available at runtime, which is reasonable for the provided shell examples.
Credentials: noteThe skill requires three environment values (client id, client secret, refresh token) that are exactly what OAuth-based access to Zoho needs. These are sensitive credentials (the refresh token is long-lived unless revoked), so requiring them is proportionate but demands careful handling by the user.
Persistence & Privilege: okThe skill is not always-enabled and does not request system config paths or attempt to modify other skills. It is instruction-only and does not persist code or claim elevated agent-wide privileges.