ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

zoho-support-claw

Integrates Zoho Desk with OpenClaw to ingest tickets, generate local embeddings, analyze open tickets, and propose draft replies using OpenAI.

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 287 · 0 current installs · 0 all-time installs
by@Pretid
MIT-0
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
Code implements Zoho Desk calls (axios), local embedding storage, and OpenAI calls for embeddings/completions, which aligns with the described purpose. However, the registry metadata claims 'Required env vars: none' and 'Primary credential: none', while README and SKILL.md (and the code) require ZOHO_TOKEN and OPENAI_API_KEY (also optional ZOHO_DOMAIN, OPENAI_MODEL, EMBEDDINGS_MODEL, LOG_LEVEL, INGEST_LIMIT). This metadata omission is an inconsistency (likely oversight) but not evidence of malicious intent.
Instruction Scope
SKILL.md instructs to put ZOHO_TOKEN and OPENAI_API_KEY in a .env and run npm scripts; the runtime instructions in index.js/ libs stick to that scope: fetching closed/open tickets, creating embeddings, saving vectors locally, and asking OpenAI for draft replies. The code does read other env vars (ZOHO_DOMAIN, LOG_LEVEL, INGEST_LIMIT, model overrides) which are not all documented in SKILL.md, so documentation is slightly incomplete but behavior is coherent.
Install Mechanism
This is an instruction-only skill for install (no platform install spec), but it includes Node.js source and a package.json with dependencies (axios, dotenv, openai, pino). Dependencies are expected and come from npm; there are no downloads from arbitrary URLs, no archive extraction, and no unusual install steps.
Credentials
Requested credentials (Zoho OAuth token and OpenAI API key) are proportional to the functionality. Important privacy implication: ticket text is sent to OpenAI for embeddings and completions, and full ticket text/resolution is persisted locally in data/embeddings.json. The skill does not request unrelated credentials, but you should confirm token scopes and be aware of third-party data sharing and local storage of potentially sensitive content.
Persistence & Privilege
always is false and the skill does not request elevated agent privileges or modify other skills. It persists its own data to data/embeddings.json (normal for a local vector store). No evidence it changes system-wide configuration or gains persistent agent privileges beyond normal skill behavior.
Assessment
What to check before installing: - Registry metadata mismatch: the package actually requires ZOHO_TOKEN and OPENAI_API_KEY (and optional ZOHO_DOMAIN and model/env settings) even though the registry lists none — update or confirm env requirements before use. - Data exposure: this skill sends ticket text to OpenAI for embeddings and drafts. If tickets contain PII or sensitive information, consider redaction, using an enterprise/isolated OpenAI account, or avoiding sending those fields. - Local storage: ticket text and embeddings are stored in data/embeddings.json on disk; secure that file (permissions, encryption, backups) or change storage behavior if needed. - Credential scope: use least-privilege Zoho tokens (limited scopes) and rotate tokens after testing. Do not use admin credentials if not required. - Run in an isolated environment first: examine network requests (to Zoho domain and OpenAI) and logs, and confirm the ingested data is what you expect. - Dependency review: dependencies are standard (axios, openai, dotenv, pino); keep them up-to-date and audit for known vulnerabilities. If these tradeoffs are acceptable and you secure tokens and stored data, the implementation appears coherent with its stated purpose.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.0
Download zip
latestvk9768hg6wk2aw35ecakwnkwhzh81whf2localvk9768hg6wk2aw35ecakwnkwhzh81whf2

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

zoho-support

Skill: zoho-support

Description: Integrates Zoho Desk with OpenClaw to ingest historical tickets, store local embeddings, analyse open tickets and propose draft replies.

Usage:

  • Install via clawhub/publish or copy to workspace skills.
  • Configure .env with ZOHO_TOKEN and OPENAI_API_KEY

Commands:

  • ingest: Run historical ingest (npm run ingest)
  • analyse: Analyse open tickets and generate drafts (npm run analyse)

Notes:

  • CommonJS project. No TypeScript.
  • Keep credentials in .env (don't commit).

Files

9 total
Select a file
Select a file to preview.

Comments

Loading comments…