← 返回 Skills 市场
657
总下载
1
收藏
2
当前安装
3
版本数
在 OpenClaw 中安装
/install zoho-cli
功能描述
Read, search, send, and manage Zoho Mail from the terminal. JSON output for scripting and agents. No third-party service required.
安全使用建议
This skill appears to be what it says: a wrapper that calls the 'zoho' CLI and uses local OAuth tokens. Before installing or invoking: 1) Verify the upstream repo (https://github.com/robsannaa/zoho-cli) and Homebrew tap (robsannaa/tap) — installing via pipx/uv/homebrew will run code from that repo, so review it if you don't trust the author. 2) Understand OAuth sensitivity — the CLI stores client_id/client_secret and tokens locally (config.json and OS keyring); protect those files and avoid putting ZOHO_TOKEN_PASSWORD or client secrets into shared CI without encryption. 3) Note the metadata mismatch: SKILL.md sets user-invocable: false while registry metadata allows invocation; confirm whether you want the agent to call the CLI autonomously (an agent cannot complete the interactive 'zoho login' browser flow without manual steps). 4) If you deploy this in shared environments, restrict access to the config path and keyring entries. If you want me to, I can fetch and summarize the GitHub repo contents (setup files, install scripts) so you can inspect what would be installed.
功能分析
Type: OpenClaw Skill
Name: zoho-cli
Version: 0.1.4
The skill is classified as suspicious due to its inherent handling of highly sensitive data (OAuth client_id/client_secret, access/refresh tokens) which are stored locally in configuration files and the OS keyring, as explicitly disclosed in SKILL.md. While this storage is local and transparently communicated, it presents a significant risk if the system or agent is compromised. Additionally, the skill provides file write capabilities via `zoho mail download-attachment` and email sending capabilities via `zoho mail send`, which, if combined with a malicious prompt to the agent, could be exploited for unauthorized file manipulation or communication. There is no direct evidence of intentional malicious behavior or prompt injection within the skill's instructions, but the capabilities themselves carry high risk.
能力评估
Purpose & Capability
The name/description (Zoho Mail CLI) match the runtime instructions: the skill expects the 'zoho' CLI, performs mail list/search/get/download/send operations, and requires OAuth credentials for Zoho. No unrelated service credentials or binaries are requested.
Instruction Scope
SKILL.md stays within the mail-CLI scope (running 'zoho' commands, checking config, and using OS keyring). It documents one-time interactive OAuth login ('zoho login' opens a browser), local config and keyring storage, and optional env vars. Note: the SKILL.md header sets 'user-invocable: false' while registry metadata indicates the skill is user-invocable/autonomously callable — an inconsistency to resolve. Also, interactive browser login cannot be completed by an autonomous agent without extra steps, which limits autonomous use until login is done.
Install Mechanism
This is instruction-only (no platform install spec). SKILL.md shows typical user install paths (Homebrew, uv, pipx from a GitHub repo). Because the platform will not itself download/extract code, the risk is low from the skill bundle; however installing the CLI from the referenced GitHub repo will pull code from that repo — users should vet the upstream source before running install commands.
Credentials
The registry lists no required env vars, while SKILL.md documents optional envs (ZOHO_ACCOUNT, ZOHO_CONFIG, ZOHO_TOKEN_PASSWORD) and clarifies that OAuth client_id/client_secret and access/refresh tokens are sensitive and stored locally. These credentials are proportionate to the stated purpose, but the discrepancy between registry metadata and SKILL.md (no primary credential declared vs. SKILL.md describing OAuth tokens) should be noted.
Persistence & Privilege
The skill does not request 'always: true' or other elevated persistent privileges, nor does it claim to modify other skills or system-wide configs. It operates by invoking an external CLI and using local config/keyring, which is expected for this function.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install zoho-cli - 安装完成后,直接呼叫该 Skill 的名称或使用
/zoho-cli触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v0.1.4
zoho-cli 0.1.4 changelog
- Clarified requirements in skill description and readme: emphasized need for 'zoho' binary, OAuth setup, and local credential storage.
- Added note on credential storage to further highlight local config and OS keyring usage.
- No new features or command changes; updated documentation and descriptions only.
v0.1.3
**Added compatibility and credential storage information for transparency and user security awareness.**
- Added a "compatibility" section outlining CLI/tool requirements and sensitive credential handling.
- Documented where OAuth client/secret and tokens are stored and why users should protect them.
- No changes to commands or functionality; documentation and metadata only.
v0.1.2
## zoho-cli 0.1.2 changelog
- Updated SKILL.md with detailed install, usage, and command documentation
- Added clearer instructions for prerequisites and authentication flows
- Enhanced documentation of CLI output formats and error handling
- Clarified usage of global flags and environment variables
- Documented all major commands and typical scripting patterns for automation
- Improved error response examples and code explanations
元数据
常见问题
Zoho Mail CLI 是什么?
Read, search, send, and manage Zoho Mail from the terminal. JSON output for scripting and agents. No third-party service required. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 657 次。
如何安装 Zoho Mail CLI?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install zoho-cli」即可一键安装,无需额外配置。
Zoho Mail CLI 是免费的吗?
是的,Zoho Mail CLI 完全免费(开源免费),可自由下载、安装和使用。
Zoho Mail CLI 支持哪些平台?
Zoho Mail CLI 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Zoho Mail CLI?
由 robsanna(@robsannaa)开发并维护,当前版本 v0.1.4。
推荐 Skills