← Back to Skills Marketplace
Zoho
by
Shreef Entsar
· GitHub ↗
· v2.0.2
2940
Downloads
2
Stars
3
Active Installs
7
Versions
Install in OpenClaw
/install zoho
Description
Interact with Zoho CRM, Projects, and Meeting APIs. Use when managing deals, contacts, leads, tasks, projects, milestones, meeting recordings, or any Zoho wo...
Usage Guidance
This skill appears to implement the claimed Zoho features, but there are several packaging/metadata mismatches you should address before use: 1) The registry metadata claims no required env vars or binaries, but SKILL.md and skill.json require Zoho credentials (client ID/secret/refresh token) and an optional GEMINI_API_KEY; the agent will need those secrets in a .env file in the skill directory. 2) The scripts call external programs (curl, jq, ffmpeg, base64, stat) and a local CLI bin/zoho; verify those tools exist and that the bin/zoho executable is present and trustworthy (the manifest does not include bin/zoho). 3) The standup summarizer will upload meeting audio to Google's Generative Language API when GEMINI_API_KEY is set — if you do not want recordings sent to a third party, do not set GEMINI_API_KEY or disable the summarizer. 4) Inspect the referenced repository (https://github.com/shreefentsar/clawdbot-zoho) and confirm the missing files and the bin/zoho implementation match your security requirements. 5) Run the skill in an isolated environment or test account first, and consider restricting the skill's access to only the Zoho scopes you need. If you want me to, I can list the exact lines where external endpoints are called, enumerate the runtime binaries the scripts need, or check whether the upstream repo contains the missing bin/zoho.
Capability Analysis
Type: OpenClaw Skill
Name: zoho
Version: 2.0.2
The skill is classified as suspicious due to its broad API permissions and the explicit instruction to send potentially sensitive meeting audio recordings to the Google Gemini API for transcription, as detailed in `SKILL.md`, `README.md`, and `scripts/standup-summarizer.sh`. While this functionality is openly declared and requires the user's `GEMINI_API_KEY`, the act of transmitting private meeting content to a third-party service represents a significant data privacy and exfiltration risk if not fully understood or consented to by the user. Additionally, the `zoho raw GET` command in `SKILL.md` allows the AI agent to make arbitrary API calls within the granted broad scopes, increasing the potential attack surface.
Capability Assessment
Purpose & Capability
Functionality described (CRM, Projects, Meeting, downloading recordings, transcribing via Gemini) matches the files and scripts present. Requested credentials (Zoho client ID/secret/refresh token, org IDs) are appropriate for the described Zoho API access. However, the registry metadata claims no required env vars/binaries while the included skill.json and SKILL.md clearly require secrets and a CLI; the README and scripts reference a bin/zoho CLI wrapper but that binary is not present in the provided file manifest — this mismatch is unexpected and reduces confidence in packaging quality.
Instruction Scope
The SKILL.md and README instruct the user/agent to create a .env containing secrets and to use a 'zoho' CLI wrapper. The included standup-summarizer.sh reads that .env and will download meeting MP4s from Zoho and upload audio to Google's Generative Language (Gemini) APIs for transcription if GEMINI_API_KEY is set. That behavior is consistent with the stated feature (transcription) but it means meeting audio and transcripts will be sent to an external service (Google) — the instructions do not clarify privacy/consent implications. The agent/script reads and writes files under the skill directory and /tmp and writes persistent state (standup-processed.json). The SKILL.md also instructs using the CLI (bin/zoho), but that binary is referenced yet not present in the manifest, so runtime instructions may fail or behave unpredictably.
Install Mechanism
No install spec (instruction-only) — lower risk from remote code fetch. Good: nothing is automatically downloaded at install time. Note: the skill expects additional tools at runtime (curl, jq, ffmpeg, base64, stat, ffmpeg) but does not declare them in the registry metadata. The absence of a proper install step means the user/agent must supply these tools; the README mentions 'bin/zoho' and 'chmod +x' but that binary is not present in the manifest, which is an installation/packaging inconsistency.
Credentials
The secrets requested by skill.json and SKILL.md (ZOHO_CLIENT_ID, ZOHO_CLIENT_SECRET, ZOHO_REFRESH_TOKEN, org IDs) are proportionate to Zoho API access. GEMINI_API_KEY is optional and only required for the standup summarizer that uploads audio to Google's API. The major concern is discordant metadata: the registry summary (provided to platform) lists no required env vars or primary credential, while skill.json enumerates multiple required secret env vars. This mismatch could cause users or automated installers to overlook that they must provide secrets and that audio may be sent to a third-party service.
Persistence & Privilege
The skill writes a local processed-file (standup-processed.json) under its data directory (configurable via ZOHO_DATA_DIR) and uses /tmp for temp files. It does not request always: true, does not modify other skills or global agent settings, and only stores state for its own operations. This level of persistence is typical for a utility that downloads and processes recordings.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install zoho - After installation, invoke the skill by name or use
/zoho - Provide required inputs per the skill's parameter spec and get structured output
Version History
v2.0.2
Fix security scan: configurable paths (no more hardcoded /root/clawd), declared all env vars in skill.json including GEMINI_API_KEY, verified bin/zoho exists in manifest
v2.0.1
Added Zone 99 and GitHub links directly in skill body for visibility on ClawdHub page.
v2.0.0
Major update: Added comprehensive README with documentation, real-world use cases, contributing guide. GitHub repo: github.com/shreefentsar/clawdbot-zoho. Made by Zone 99 team.
v1.3.0
Re-publish with complete OAuth2 setup guide
v1.2.0
Added comprehensive OAuth2 setup guide: step-by-step instructions for registering app, generating authorization code, exchanging for refresh token, finding org IDs, and configuring .env. Includes datacenter URLs, scope reference table, and troubleshooting section.
v1.1.0
Added Meeting API: recording list, download, meeting sessions. New zoho meeting CLI commands. Includes standup-summarizer.sh script for automated meeting transcription (Zoho Meeting → ffmpeg → Gemini Flash → summary). Added meeting-api.md reference docs. Updated .env.example with Meeting config.
v1.0.0
Initial release: CLI wrapper with OAuth token caching, CRM CRUD, Projects tasks/milestones/bugs/timelogs, raw API support
Metadata
Frequently Asked Questions
What is Zoho?
Interact with Zoho CRM, Projects, and Meeting APIs. Use when managing deals, contacts, leads, tasks, projects, milestones, meeting recordings, or any Zoho wo... It is an AI Agent Skill for Claude Code / OpenClaw, with 2940 downloads so far.
How do I install Zoho?
Run "/install zoho" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Zoho free?
Yes, Zoho is completely free (open-source). You can download, install and use it at no cost.
Which platforms does Zoho support?
Zoho is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Zoho?
It is built and maintained by Shreef Entsar (@shreefentsar); the current version is v2.0.2.
More Skills