zoho

SUSPICIOUS. The Zoho API usage itself is coherent and mostly points to official Zoho endpoints, but the skill’s trust model is weak: it relies on an unverifiable repo-local CLI wrapper from a personal GitHub account, uses transitive skill installation, and asks that wrapper to handle long-lived Zoho credentials. The optional meeting summarizer also expands data flow to a third-party AI service. This is not confirmed malware, but the install provenance and credential-forwarding footprint are disproportionate enough to warrant caution.