Back to plugin

Security audit

ZaloClaw

Security checks across malware telemetry and agentic risk

Overview

The package is coherent for connecting OpenClaw to a personal Zalo account, but it gives the agent sensitive messaging and account-control powers that users should enable deliberately.

Install only if you want an AI agent connected to your personal Zalo account. This plugin can send and delete messages, manage friends and groups, change account/profile-related settings, and use a reverse-engineered personal-account API that may violate Zalo's terms or risk account lockout. Use pairing or allowlists, keep group tool policies tight, and enable passive group-history logging only when everyone affected understands messages will be saved locally.

VirusTotal

61/61 vendors flagged this plugin as clean.

View on VirusTotal

Static analysis

Detected: suspicious.potential_exfiltration

Sensitive-looking file read is paired with a network send.

Warn
Code
suspicious.potential_exfiltration
Location
dist/index.js:31
Evidence
const raw = readFileSync(CREDENTIALS_PATH, "utf-8");