Back to skill

Security audit

Zoho CRM MCP

Security checks across malware telemetry and agentic risk

Overview

This skill is a coherent Zoho CRM integration, but users should treat the MCP URL as a CRM credential and keep its permissions narrow.

Install only if you intend to let an agent access Zoho CRM through your MCP endpoint. Use the least Zoho scopes needed, start read-only, avoid enabling delete actions, store ZOHO_MCP_URL like a password, do not paste it into shared logs or screenshots, and rotate the MCP token if it is exposed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Tainted flow: 'cmd' from os.environ.get (line 31, credential/environment) → subprocess.run (code execution)

Medium
Category
Data Flow
Content
"--args",
        json.dumps(args, ensure_ascii=False),
    ]
    result = subprocess.run(cmd, capture_output=True, text=True, timeout=30, check=False)
    try:
        return json.loads(result.stdout)
    except json.JSONDecodeError:
Confidence
82% confidence
Finding
result = subprocess.run(cmd, capture_output=True, text=True, timeout=30, check=False)

Lp3

Medium
Category
MCP Least Privilege
Confidence
90% confidence
Finding
The skill clearly instructs users to use environment variables and shell commands (`export`, `mcporter`, `python3`), yet no explicit permission declaration is present. That mismatch can undermine platform trust boundaries and cause users or orchestrators to run a skill with broader capabilities than are transparently documented, especially since it accesses a credential-bearing MCP endpoint.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The documentation tells users to place a credential-bearing MCP URL, including the token path segment, into shell profiles and command lines without clearly warning that this can leak into shell history, dotfiles, logs, screenshots, backups, and process inspection. Because the URL itself appears to function as a bearer secret, exposure could allow unauthorized CRM access with the associated scopes.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.