← 返回 Skills 市场
Zoho
作者
Shreef Entsar
· GitHub ↗
· v2.0.2
2940
总下载
2
收藏
3
当前安装
7
版本数
在 OpenClaw 中安装
/install zoho
功能描述
Interact with Zoho CRM, Projects, and Meeting APIs. Use when managing deals, contacts, leads, tasks, projects, milestones, meeting recordings, or any Zoho wo...
安全使用建议
This skill appears to implement the claimed Zoho features, but there are several packaging/metadata mismatches you should address before use: 1) The registry metadata claims no required env vars or binaries, but SKILL.md and skill.json require Zoho credentials (client ID/secret/refresh token) and an optional GEMINI_API_KEY; the agent will need those secrets in a .env file in the skill directory. 2) The scripts call external programs (curl, jq, ffmpeg, base64, stat) and a local CLI bin/zoho; verify those tools exist and that the bin/zoho executable is present and trustworthy (the manifest does not include bin/zoho). 3) The standup summarizer will upload meeting audio to Google's Generative Language API when GEMINI_API_KEY is set — if you do not want recordings sent to a third party, do not set GEMINI_API_KEY or disable the summarizer. 4) Inspect the referenced repository (https://github.com/shreefentsar/clawdbot-zoho) and confirm the missing files and the bin/zoho implementation match your security requirements. 5) Run the skill in an isolated environment or test account first, and consider restricting the skill's access to only the Zoho scopes you need. If you want me to, I can list the exact lines where external endpoints are called, enumerate the runtime binaries the scripts need, or check whether the upstream repo contains the missing bin/zoho.
功能分析
Type: OpenClaw Skill
Name: zoho
Version: 2.0.2
The skill is classified as suspicious due to its broad API permissions and the explicit instruction to send potentially sensitive meeting audio recordings to the Google Gemini API for transcription, as detailed in `SKILL.md`, `README.md`, and `scripts/standup-summarizer.sh`. While this functionality is openly declared and requires the user's `GEMINI_API_KEY`, the act of transmitting private meeting content to a third-party service represents a significant data privacy and exfiltration risk if not fully understood or consented to by the user. Additionally, the `zoho raw GET` command in `SKILL.md` allows the AI agent to make arbitrary API calls within the granted broad scopes, increasing the potential attack surface.
能力评估
Purpose & Capability
Functionality described (CRM, Projects, Meeting, downloading recordings, transcribing via Gemini) matches the files and scripts present. Requested credentials (Zoho client ID/secret/refresh token, org IDs) are appropriate for the described Zoho API access. However, the registry metadata claims no required env vars/binaries while the included skill.json and SKILL.md clearly require secrets and a CLI; the README and scripts reference a bin/zoho CLI wrapper but that binary is not present in the provided file manifest — this mismatch is unexpected and reduces confidence in packaging quality.
Instruction Scope
The SKILL.md and README instruct the user/agent to create a .env containing secrets and to use a 'zoho' CLI wrapper. The included standup-summarizer.sh reads that .env and will download meeting MP4s from Zoho and upload audio to Google's Generative Language (Gemini) APIs for transcription if GEMINI_API_KEY is set. That behavior is consistent with the stated feature (transcription) but it means meeting audio and transcripts will be sent to an external service (Google) — the instructions do not clarify privacy/consent implications. The agent/script reads and writes files under the skill directory and /tmp and writes persistent state (standup-processed.json). The SKILL.md also instructs using the CLI (bin/zoho), but that binary is referenced yet not present in the manifest, so runtime instructions may fail or behave unpredictably.
Install Mechanism
No install spec (instruction-only) — lower risk from remote code fetch. Good: nothing is automatically downloaded at install time. Note: the skill expects additional tools at runtime (curl, jq, ffmpeg, base64, stat, ffmpeg) but does not declare them in the registry metadata. The absence of a proper install step means the user/agent must supply these tools; the README mentions 'bin/zoho' and 'chmod +x' but that binary is not present in the manifest, which is an installation/packaging inconsistency.
Credentials
The secrets requested by skill.json and SKILL.md (ZOHO_CLIENT_ID, ZOHO_CLIENT_SECRET, ZOHO_REFRESH_TOKEN, org IDs) are proportionate to Zoho API access. GEMINI_API_KEY is optional and only required for the standup summarizer that uploads audio to Google's API. The major concern is discordant metadata: the registry summary (provided to platform) lists no required env vars or primary credential, while skill.json enumerates multiple required secret env vars. This mismatch could cause users or automated installers to overlook that they must provide secrets and that audio may be sent to a third-party service.
Persistence & Privilege
The skill writes a local processed-file (standup-processed.json) under its data directory (configurable via ZOHO_DATA_DIR) and uses /tmp for temp files. It does not request always: true, does not modify other skills or global agent settings, and only stores state for its own operations. This level of persistence is typical for a utility that downloads and processes recordings.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install zoho - 安装完成后,直接呼叫该 Skill 的名称或使用
/zoho触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v2.0.2
Fix security scan: configurable paths (no more hardcoded /root/clawd), declared all env vars in skill.json including GEMINI_API_KEY, verified bin/zoho exists in manifest
v2.0.1
Added Zone 99 and GitHub links directly in skill body for visibility on ClawdHub page.
v2.0.0
Major update: Added comprehensive README with documentation, real-world use cases, contributing guide. GitHub repo: github.com/shreefentsar/clawdbot-zoho. Made by Zone 99 team.
v1.3.0
Re-publish with complete OAuth2 setup guide
v1.2.0
Added comprehensive OAuth2 setup guide: step-by-step instructions for registering app, generating authorization code, exchanging for refresh token, finding org IDs, and configuring .env. Includes datacenter URLs, scope reference table, and troubleshooting section.
v1.1.0
Added Meeting API: recording list, download, meeting sessions. New zoho meeting CLI commands. Includes standup-summarizer.sh script for automated meeting transcription (Zoho Meeting → ffmpeg → Gemini Flash → summary). Added meeting-api.md reference docs. Updated .env.example with Meeting config.
v1.0.0
Initial release: CLI wrapper with OAuth token caching, CRM CRUD, Projects tasks/milestones/bugs/timelogs, raw API support
元数据
常见问题
Zoho 是什么?
Interact with Zoho CRM, Projects, and Meeting APIs. Use when managing deals, contacts, leads, tasks, projects, milestones, meeting recordings, or any Zoho wo... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 2940 次。
如何安装 Zoho?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install zoho」即可一键安装,无需额外配置。
Zoho 是免费的吗?
是的,Zoho 完全免费(开源免费),可自由下载、安装和使用。
Zoho 支持哪些平台?
Zoho 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Zoho?
由 Shreef Entsar(@shreefentsar)开发并维护,当前版本 v2.0.2。
推荐 Skills