← Back to Skills Marketplace
491
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install zoho-support-claw
Description
Integrates Zoho Desk with OpenClaw to ingest tickets, generate local embeddings, analyze open tickets, and propose draft replies using OpenAI.
Usage Guidance
What to check before installing:
- Registry metadata mismatch: the package actually requires ZOHO_TOKEN and OPENAI_API_KEY (and optional ZOHO_DOMAIN and model/env settings) even though the registry lists none — update or confirm env requirements before use.
- Data exposure: this skill sends ticket text to OpenAI for embeddings and drafts. If tickets contain PII or sensitive information, consider redaction, using an enterprise/isolated OpenAI account, or avoiding sending those fields.
- Local storage: ticket text and embeddings are stored in data/embeddings.json on disk; secure that file (permissions, encryption, backups) or change storage behavior if needed.
- Credential scope: use least-privilege Zoho tokens (limited scopes) and rotate tokens after testing. Do not use admin credentials if not required.
- Run in an isolated environment first: examine network requests (to Zoho domain and OpenAI) and logs, and confirm the ingested data is what you expect.
- Dependency review: dependencies are standard (axios, openai, dotenv, pino); keep them up-to-date and audit for known vulnerabilities.
If these tradeoffs are acceptable and you secure tokens and stored data, the implementation appears coherent with its stated purpose.
Capability Analysis
Type: OpenClaw Skill
Name: zoho-support-claw
Version: 1.0.0
The skill is classified as suspicious due to a potential indirect prompt injection vulnerability in `lib/replyGenerator.js`. Ticket subject, description, and context (derived from other tickets) are directly embedded into the user prompt for the OpenAI API without sanitization. If an attacker can inject malicious instructions into Zoho Desk ticket fields, these could potentially influence the LLM's behavior to generate harmful content or reveal unintended information. While network and file access are consistent with the skill's stated purpose, this specific vulnerability poses a risk.
Capability Assessment
Purpose & Capability
Code implements Zoho Desk calls (axios), local embedding storage, and OpenAI calls for embeddings/completions, which aligns with the described purpose. However, the registry metadata claims 'Required env vars: none' and 'Primary credential: none', while README and SKILL.md (and the code) require ZOHO_TOKEN and OPENAI_API_KEY (also optional ZOHO_DOMAIN, OPENAI_MODEL, EMBEDDINGS_MODEL, LOG_LEVEL, INGEST_LIMIT). This metadata omission is an inconsistency (likely oversight) but not evidence of malicious intent.
Instruction Scope
SKILL.md instructs to put ZOHO_TOKEN and OPENAI_API_KEY in a .env and run npm scripts; the runtime instructions in index.js/ libs stick to that scope: fetching closed/open tickets, creating embeddings, saving vectors locally, and asking OpenAI for draft replies. The code does read other env vars (ZOHO_DOMAIN, LOG_LEVEL, INGEST_LIMIT, model overrides) which are not all documented in SKILL.md, so documentation is slightly incomplete but behavior is coherent.
Install Mechanism
This is an instruction-only skill for install (no platform install spec), but it includes Node.js source and a package.json with dependencies (axios, dotenv, openai, pino). Dependencies are expected and come from npm; there are no downloads from arbitrary URLs, no archive extraction, and no unusual install steps.
Credentials
Requested credentials (Zoho OAuth token and OpenAI API key) are proportional to the functionality. Important privacy implication: ticket text is sent to OpenAI for embeddings and completions, and full ticket text/resolution is persisted locally in data/embeddings.json. The skill does not request unrelated credentials, but you should confirm token scopes and be aware of third-party data sharing and local storage of potentially sensitive content.
Persistence & Privilege
always is false and the skill does not request elevated agent privileges or modify other skills. It persists its own data to data/embeddings.json (normal for a local vector store). No evidence it changes system-wide configuration or gains persistent agent privileges beyond normal skill behavior.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install zoho-support-claw - After installation, invoke the skill by name or use
/zoho-support-claw - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
Initial release of zoho-support-claw.
- Integrates Zoho Desk with OpenClaw to ingest historical support tickets and generate AI-powered draft replies.
- Stores local embeddings for enhanced analysis.
- Provides commands to ingest ticket history and analyze open tickets.
- Requires ZOHO_TOKEN and OPENAI_API_KEY in .env for setup.
Metadata
Frequently Asked Questions
What is zoho-support-claw?
Integrates Zoho Desk with OpenClaw to ingest tickets, generate local embeddings, analyze open tickets, and propose draft replies using OpenAI. It is an AI Agent Skill for Claude Code / OpenClaw, with 491 downloads so far.
How do I install zoho-support-claw?
Run "/install zoho-support-claw" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is zoho-support-claw free?
Yes, zoho-support-claw is completely free (open-source). You can download, install and use it at no cost.
Which platforms does zoho-support-claw support?
zoho-support-claw is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created zoho-support-claw?
It is built and maintained by Pretid (@pretid); the current version is v1.0.0.
More Skills