Zoho

Functionality described (CRM, Projects, Meeting, downloading recordings, transcribing via Gemini) matches the files and scripts present. Requested credentials (Zoho client ID/secret/refresh token, org IDs) are appropriate for the described Zoho API access. However, the registry metadata claims no required env vars/binaries while the included skill.json and SKILL.md clearly require secrets and a CLI; the README and scripts reference a bin/zoho CLI wrapper but that binary is not present in the provided file manifest — this mismatch is unexpected and reduces confidence in packaging quality.

The SKILL.md and README instruct the user/agent to create a .env containing secrets and to use a 'zoho' CLI wrapper. The included standup-summarizer.sh reads that .env and will download meeting MP4s from Zoho and upload audio to Google's Generative Language (Gemini) APIs for transcription if GEMINI_API_KEY is set. That behavior is consistent with the stated feature (transcription) but it means meeting audio and transcripts will be sent to an external service (Google) — the instructions do not clarify privacy/consent implications. The agent/script reads and writes files under the skill directory and /tmp and writes persistent state (standup-processed.json). The SKILL.md also instructs using the CLI (bin/zoho), but that binary is referenced yet not present in the manifest, so runtime instructions may fail or behave unpredictably.

No install spec (instruction-only) — lower risk from remote code fetch. Good: nothing is automatically downloaded at install time. Note: the skill expects additional tools at runtime (curl, jq, ffmpeg, base64, stat, ffmpeg) but does not declare them in the registry metadata. The absence of a proper install step means the user/agent must supply these tools; the README mentions 'bin/zoho' and 'chmod +x' but that binary is not present in the manifest, which is an installation/packaging inconsistency.

The secrets requested by skill.json and SKILL.md (ZOHO_CLIENT_ID, ZOHO_CLIENT_SECRET, ZOHO_REFRESH_TOKEN, org IDs) are proportionate to Zoho API access. GEMINI_API_KEY is optional and only required for the standup summarizer that uploads audio to Google's API. The major concern is discordant metadata: the registry summary (provided to platform) lists no required env vars or primary credential, while skill.json enumerates multiple required secret env vars. This mismatch could cause users or automated installers to overlook that they must provide secrets and that audio may be sent to a third-party service.

The skill writes a local processed-file (standup-processed.json) under its data directory (configurable via ZOHO_DATA_DIR) and uses /tmp for temp files. It does not request always: true, does not modify other skills or global agent settings, and only stores state for its own operations. This level of persistence is typical for a utility that downloads and processes recordings.