Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Zalo Agent CLI
v1.3.0Automate Zalo messaging, Official Account (OA), and MCP server integration via zalo-agent-cli. Triggers: 'zalo', 'send zalo', 'zalo OA', 'official account',...
⭐ 0· 259·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name/description match the runtime instructions: the SKILL.md exclusively documents using the external 'zalo-agent' CLI to manage Zalo personal accounts, OA, and MCP. The only required binary is 'zalo-agent', which is appropriate for the described functionality. No unrelated credentials, binaries, or system paths are requested.
Instruction Scope
Instructions stay within the stated domain (login, messaging, listen/webhook, OA, MCP). Notable behaviors that are expected but security-relevant: (1) listen --webhook forwards live event JSON to arbitrary endpoints (can exfiltrate PII if misconfigured); (2) login flow uses curl to discover server IP for QR URL (exposes server IP to the helper flow); (3) account export produces credential files which the docs explicitly warn are sensitive. These are consistent with the skill purpose but require careful user configuration and explicit consent before mass-forwarding or exporting secrets.
Install Mechanism
There is no install spec in the skill bundle (instruction-only). That minimizes risk from the skill itself writing or executing code. However, the skill depends on the external 'zalo-agent' binary; users must obtain and verify that binary separately (homepage points to a GitHub repo).
Credentials
The skill declares no required environment variables or credentials and the runtime instructions do not request secrets beyond the normal use of the external CLI (app ID/secret when using OA, proxy credentials used only if user supplies them). There is no unexplained request for unrelated tokens/keys.
Persistence & Privilege
The skill is not force-included (always=false) and does not request persistent platform privileges. It instructs use of local files (creds.json, ~/.zalo-agent/*) and starting local listeners (MCP/oa listen), but these are in-scope for the tool and documented as sensitive. No evidence the skill would modify other skills or global agent settings.
Scan Findings in Context
[prompt-injection:ignore-previous-instructions] expected: The phrase appears in the included evaluation scenarios (adversarial test prompts). These are part of the skill's test-suite and handling guidance (the SKILL.md includes explicit refusal guidance), so presence is expected rather than an active instruction to the agent to override policy.
[prompt-injection:you-are-now] expected: Similarly appears in attack/jailbreak test cases within the eval scenarios. The document instructs the agent to detect and refuse such prompt-injection attempts; inclusion is for testing/defense, not to perform an override.
Assessment
This skill is an instruction-only wrapper for the external 'zalo-agent' CLI and appears coherent. Before using it: (1) obtain the zalo-agent binary from the official GitHub releases (verify checksums/signatures if available) — the skill does not provide or install the binary; (2) be careful when enabling listen --webhook: any configured webhook URL will receive message contents (PII), so only send events to endpoints you control and prefer HTTPS with authentication; (3) never publish or transmit exported credential files (creds.json, ~/.zalo-agent/*). The SKILL.md documents these risks and includes defensive guidance, but you should still avoid mass-forwarding contact lists or secrets without explicit user consent; (4) if you plan to run MCP or OA listeners on a VPS, protect endpoints with auth and firewall rules and confirm you understand proxy credentials handling. If you want higher assurance, review the zalo-agent project's source/release artifacts directly before installing the binary.evals/eval-scenarios.md:186
Prompt-injection style instruction pattern detected.
About static analysis
These patterns were detected by automated regex scanning. They may be normal for skills that integrate with external APIs. Check the VirusTotal and OpenClaw results above for context-aware analysis.Like a lobster shell, security has layers — review code before you run it.
latestvk97a8w20b0z1nkt7wdpb5n1z81835p2f
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
OSmacOS · Linux
Binszalo-agent