Security Audit

zoho

github.com/openclaw/skills

AI SkillCommit 13146e6a3d46

TRUSTED

Scanned 2 months ago

Critical

Immediate action required

High

Priority fixes suggested

Medium

Best practices review

Low

Acknowledged / Tracked

Trust Assessment

zoho received a trust score of 83/100, placing it in the Mostly Trusted category. This skill has passed most security checks with only minor considerations noted.

SkillShield's automated analysis identified 5 findings: 0 critical, 0 high, 2 medium, and 2 low severity. Key findings include Unsafe deserialization / dynamic eval, Missing required field: name, Node lockfile missing.

The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.

Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.

Layer Breakdown

Manifest Analysis

93%

Static Code Analysis

93%

Dependency Graph

98%

LLM Behavioral Safety

98%

Behavioral Risk Signals

Network Access

2 findings

Filesystem Write

1 finding

Shell Execution

1 finding

Dynamic Code

1 finding

Excessive Permissions

1 finding

Security Findings5

Severity	Finding	Layer	Location
MEDIUM	Unsafe deserialization / dynamic eval Decryption followed by code execution Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions.	Manifest	skills/senthazalravi/zohoclaw/skills/zoho/index.js:6
MEDIUM	Missing required field: name The 'name' field is required for claude_code skills but is missing from frontmatter. Add a 'name' field to the SKILL.md frontmatter.	Static	skills/senthazalravi/zohoclaw/skills/zoho/SKILL.md:1
LOW	Node lockfile missing package.json is present but no lockfile was found (package-lock.json, pnpm-lock.yaml, or yarn.lock). Commit a lockfile for deterministic dependency resolution.	Dependencies	skills/senthazalravi/zohoclaw/skills/zoho/package.json
LOW	Potential logging of sensitive data in API error messages The `ZohoAuth.refreshAccessToken` and `ZohoAPI.request` methods log full JSON error responses using `JSON.stringify(json)` when an API call fails. If the Zoho API were to include sensitive information (e.g., parts of tokens, client secrets, or other credentials) within its error messages, this information could be inadvertently logged or exposed in system logs. Implement more granular error handling to redact or filter potentially sensitive information from API error responses before logging. Consider logging only specific, non-sensitive error codes or messages.	LLM	index.js:79
INFO	Inconsistent repository metadata in package.json The `bugs` and `homepage` fields in `package.json` point to a personal GitHub repository (`https://github.com/senthazalravi/TestFox`) instead of the expected `openclaw/skills` repository. This inconsistency could indicate a divergence in maintenance, origin, or an un-updated fork, potentially affecting trust and provenance within the supply chain. Update the `bugs` and `homepage` fields in `package.json` to accurately reflect the official repository URL for this skill if it is intended to be part of the `openclaw/skills` ecosystem.	LLM	package.json:15

Scan History

Embed Code

[![SkillShield](https://skillshield.io/api/v1/badge/abfad0725bcc67cf.svg)](https://skillshield.io/report/abfad0725bcc67cf)