ClawHub

Zalo Agent CLI

Security checks across malware telemetry and agentic risk

Overview

This Zalo automation skill appears purpose-aligned, but it needs review because it can operate real accounts, forward or store private messages, and export credentials without enough safety scoping.

Install only if you intend to let an agent operate your Zalo account or Official Account. Before using it, restrict it to trusted conversations and endpoints, avoid unauthenticated public MCP or webhook exposure, do not use --no-verify outside local testing, treat exported credentials as account-takeover secrets, and define retention/deletion rules for any saved message logs.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (11)

Vague Triggers

Medium
Confidence
91% confidence
Finding
The trigger list includes broad phrases such as 'official account', 'bank card', and 'MCP server' that can plausibly appear in unrelated conversations, causing the skill to activate outside a clear Zalo-specific context. In a skill that can send messages, forward webhook data, and interact with account features, accidental invocation increases the risk of unintended actions or disclosure.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill documents webhook forwarding and local log saving but does not prominently warn that message contents, contact identifiers, and event metadata may be transmitted to third-party endpoints or stored on disk. Because this skill handles personal messaging and OA data, missing privacy warnings can lead users to expose sensitive communications unintentionally.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The command reference documents `account export [ownerId] [-o path]` without any warning that it exports account credentials to disk. In a messaging automation skill, credential export materially increases the chance of account takeover or unintended secret disclosure if an agent or user invokes it casually, especially when output paths may be insecure or shared.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The `listen` command supports `-w url` webhook forwarding but the reference does not disclose that message, friend, group, or reaction event data may be transmitted to a remote endpoint. In this skill's context, the listener can expose chat metadata or content to third parties, creating privacy and data exfiltration risk if users do not understand what is being forwarded.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The guide explicitly forwards message, friend-request, group, and reaction event data to arbitrary webhook URLs and shows full event payloads, but provides no warning about transmitting potentially sensitive personal data off-platform. In a messaging automation skill, this can lead to unintended disclosure of message contents, identifiers, and social-graph data to third-party systems or insecure endpoints, especially if users copy the example configuration directly.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The JSONL save mode documents persistent per-thread logging of events without warning that this creates local at-rest copies of message and relationship data. On shared hosts, developer laptops, or long-running production systems, these logs can accumulate sensitive content and metadata that may later be exposed through weak filesystem permissions, backups, or compromise.

Missing User Warnings

Low
Confidence
72% confidence
Finding
Presenting --auto-accept as a simple flag without any caution can encourage users to automatically trust inbound friend requests, weakening account hygiene and increasing exposure to spam, phishing, social engineering, or unwanted contact. In the context of a messaging agent tied to a real account, automatic acceptance expands the reachable attack surface and may enable subsequent malicious interactions.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The document instructs users to export a reusable `creds.json` session file and use it for login on another machine. Although it later says to treat the file as a secret, it does not make explicit that anyone who copies or reuses that file can likely authenticate as the account holder, which increases the risk of accidental credential theft, insecure sharing, or misuse in CI/server migration workflows.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The documentation instructs users to pass app IDs and secrets directly on the command line in non-interactive examples. On many systems, command-line arguments can be exposed via shell history, process listings, CI logs, and audit tooling, which can leak long-lived credentials to other users or systems.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The file documents storage of app secrets, access tokens, and refresh tokens in a local credentials file without any caution about rotation, backup exposure, endpoint compromise, or secure handling beyond file mode. These values grant API access and session continuity, so disclosure could allow message sending, follower data access, and OA account manipulation.

Tool Parameter Abuse

High
Category
Tool Misuse
Content
**Expected reasoning:**
1. OA webhook → `oa listen` + ngrok tunnel
2. Start listener: `zalo-agent oa listen -p 3000 --no-verify`
3. Start tunnel: `ngrok http 3000`
4. Get ngrok URL from ngrok API or output
5. Instruct user: set webhook URL at developers.zalo.me → Webhook
Confidence
89% confidence
Finding
--no-verify

VirusTotal

59/59 vendors flagged this skill as clean.

View on VirusTotal