Zoho
WarnAudited by ClawScan on May 10, 2026.
Overview
This Zoho integration is mostly purpose-aligned, but it asks for broad long-lived Zoho access and depends on a missing unreviewed CLI that would handle tokens and API actions.
Review this skill carefully before installing. If you use it, create a least-privilege Zoho OAuth app, avoid printing tokens, verify the missing bin/zoho CLI source before trusting it, and only send meeting recordings to Gemini when your organization permits that data flow.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If misused, the agent could read or change large parts of the user's Zoho business data, and printed tokens could expose account access.
The skill requests broad offline Zoho permissions and documents a command that prints an access token, creating both overbroad account authority and a risk that tokens appear in agent logs or chat output.
zoho token # Print current access token (auto-refreshes) ... scope=ZohoCRM.modules.ALL,ZohoCRM.settings.ALL,ZohoProjects.projects.ALL,ZohoProjects.tasks.ALL ... access_type=offline ... Save the refresh_token — this is your long-lived credential.
Use the smallest Zoho scopes needed, avoid printing tokens in agent-visible contexts, rotate tokens if exposed, and require explicit confirmation for write or delete actions.
The skill may fail, or users may end up relying on an unreviewed or path-provided Zoho CLI for sensitive OAuth and business-data operations.
The provided package manifest does not include bin/zoho, while the README, SKILL.md, skill.json, and script rely on that CLI for token refresh and API calls.
No install spec — this is an instruction-only skill. ... File manifest 7 file(s): README.md, SKILL.md, references/crm-api.md, references/meeting-api.md, references/projects-api.md, scripts/standup-summarizer.sh, skill.json
Do not install for production use until the required bin/zoho executable is included, reviewed, versioned, and its source/checksum is clear.
A user reviewing only install metadata may believe the skill needs no credentials, while actual use requires powerful account secrets.
This registry-level credential contract conflicts with the skill's documented need for Zoho client secrets, a refresh token, org IDs, and optionally a Gemini API key.
Required env vars: none; Env var declarations: none; Primary credential: none
Update the registry metadata to declare the Zoho and Gemini credentials and clearly label which are required, optional, and secret.
Meeting recordings may contain confidential business, customer, or employee information that leaves Zoho/local storage and is processed by Google.
The standup summarizer extracts meeting audio and uploads it to Google's Gemini API for transcription.
curl -s -X POST "https://generativelanguage.googleapis.com/upload/v1beta/files?key=${GEMINI_API_KEY}" ... --data-binary "@${WAV_FILE}"Use this only with meeting-participant and organizational approval, review Google/Gemini retention policies, and consider per-meeting opt-in or redaction.
If configured as cron, the skill can repeatedly download and transcribe daily recordings without a fresh prompt each time.
The documentation encourages scheduled background execution of the summarizer.
Works great as a cron job for automated daily standups.
Schedule it only intentionally, log its runs, limit which recordings it processes, and disable the cron job when no longer needed.