ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Zoho Mail CLI

v0.1.4

Read, search, send, and manage Zoho Mail from the terminal. JSON output for scripting and agents. No third-party service required.

1· 588·2 current·2 all-time
byrobsanna@robsannaa
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
The name/description (Zoho Mail CLI) match the runtime instructions: the skill expects the 'zoho' CLI, performs mail list/search/get/download/send operations, and requires OAuth credentials for Zoho. No unrelated service credentials or binaries are requested.
Instruction Scope
SKILL.md stays within the mail-CLI scope (running 'zoho' commands, checking config, and using OS keyring). It documents one-time interactive OAuth login ('zoho login' opens a browser), local config and keyring storage, and optional env vars. Note: the SKILL.md header sets 'user-invocable: false' while registry metadata indicates the skill is user-invocable/autonomously callable — an inconsistency to resolve. Also, interactive browser login cannot be completed by an autonomous agent without extra steps, which limits autonomous use until login is done.
Install Mechanism
This is instruction-only (no platform install spec). SKILL.md shows typical user install paths (Homebrew, uv, pipx from a GitHub repo). Because the platform will not itself download/extract code, the risk is low from the skill bundle; however installing the CLI from the referenced GitHub repo will pull code from that repo — users should vet the upstream source before running install commands.
Credentials
The registry lists no required env vars, while SKILL.md documents optional envs (ZOHO_ACCOUNT, ZOHO_CONFIG, ZOHO_TOKEN_PASSWORD) and clarifies that OAuth client_id/client_secret and access/refresh tokens are sensitive and stored locally. These credentials are proportionate to the stated purpose, but the discrepancy between registry metadata and SKILL.md (no primary credential declared vs. SKILL.md describing OAuth tokens) should be noted.
Persistence & Privilege
The skill does not request 'always: true' or other elevated persistent privileges, nor does it claim to modify other skills or system-wide configs. It operates by invoking an external CLI and using local config/keyring, which is expected for this function.
Assessment
This skill appears to be what it says: a wrapper that calls the 'zoho' CLI and uses local OAuth tokens. Before installing or invoking: 1) Verify the upstream repo (https://github.com/robsannaa/zoho-cli) and Homebrew tap (robsannaa/tap) — installing via pipx/uv/homebrew will run code from that repo, so review it if you don't trust the author. 2) Understand OAuth sensitivity — the CLI stores client_id/client_secret and tokens locally (config.json and OS keyring); protect those files and avoid putting ZOHO_TOKEN_PASSWORD or client secrets into shared CI without encryption. 3) Note the metadata mismatch: SKILL.md sets user-invocable: false while registry metadata allows invocation; confirm whether you want the agent to call the CLI autonomously (an agent cannot complete the interactive 'zoho login' browser flow without manual steps). 4) If you deploy this in shared environments, restrict access to the config path and keyring entries. If you want me to, I can fetch and summarize the GitHub repo contents (setup files, install scripts) so you can inspect what would be installed.

Like a lobster shell, security has layers — review code before you run it.

latestvk97e3jfss06g23gyszy9yfrxh181jh7p

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments