zoho-api

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt embeds a plaintext secret token ("tsh-revalidate-2024") in example curl URLs and instructs using it for revalidation, which requires the LLM to reproduce the secret verbatim (high exfiltration risk).

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is a specific integration with Zoho Books and Zoho Inventory APIs and explicitly surfaces financial endpoints and functionality (invoices, sales orders, customerpayments/payments, credit notes, a payments.ts module). It is not a generic browser or HTTP tool — it is purpose-built to interact with accounting/payment endpoints (including creating/fetching payments and invoices) and manages OAuth/token caching for those calls. Because its primary and explicit purpose includes handling payments/invoices, it constitutes direct financial execution capability.