Skillv1.3.0

ClawScan security

Zalo Agent CLI · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 18, 2026, 6:53 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill is internally consistent with its stated purpose (it is an instruction-only adapter for the zalo-agent CLI); no unexplained credentials, installs, or capabilities were requested — but users should verify the zalo-agent binary they install and be cautious about webhooks and exporting credentials.
Guidance: This skill is an instruction-only wrapper for the external 'zalo-agent' CLI and appears coherent. Before using it: (1) obtain the zalo-agent binary from the official GitHub releases (verify checksums/signatures if available) — the skill does not provide or install the binary; (2) be careful when enabling listen --webhook: any configured webhook URL will receive message contents (PII), so only send events to endpoints you control and prefer HTTPS with authentication; (3) never publish or transmit exported credential files (creds.json, ~/.zalo-agent/*). The SKILL.md documents these risks and includes defensive guidance, but you should still avoid mass-forwarding contact lists or secrets without explicit user consent; (4) if you plan to run MCP or OA listeners on a VPS, protect endpoints with auth and firewall rules and confirm you understand proxy credentials handling. If you want higher assurance, review the zalo-agent project's source/release artifacts directly before installing the binary.
Findings: [prompt-injection:ignore-previous-instructions] expected: The phrase appears in the included evaluation scenarios (adversarial test prompts). These are part of the skill's test-suite and handling guidance (the SKILL.md includes explicit refusal guidance), so presence is expected rather than an active instruction to the agent to override policy. [prompt-injection:you-are-now] expected: Similarly appears in attack/jailbreak test cases within the eval scenarios. The document instructs the agent to detect and refuse such prompt-injection attempts; inclusion is for testing/defense, not to perform an override.

Review Dimensions

Purpose & Capability: okName/description match the runtime instructions: the SKILL.md exclusively documents using the external 'zalo-agent' CLI to manage Zalo personal accounts, OA, and MCP. The only required binary is 'zalo-agent', which is appropriate for the described functionality. No unrelated credentials, binaries, or system paths are requested.
Instruction Scope: noteInstructions stay within the stated domain (login, messaging, listen/webhook, OA, MCP). Notable behaviors that are expected but security-relevant: (1) listen --webhook forwards live event JSON to arbitrary endpoints (can exfiltrate PII if misconfigured); (2) login flow uses curl to discover server IP for QR URL (exposes server IP to the helper flow); (3) account export produces credential files which the docs explicitly warn are sensitive. These are consistent with the skill purpose but require careful user configuration and explicit consent before mass-forwarding or exporting secrets.
Install Mechanism: okThere is no install spec in the skill bundle (instruction-only). That minimizes risk from the skill itself writing or executing code. However, the skill depends on the external 'zalo-agent' binary; users must obtain and verify that binary separately (homepage points to a GitHub repo).
Credentials: okThe skill declares no required environment variables or credentials and the runtime instructions do not request secrets beyond the normal use of the external CLI (app ID/secret when using OA, proxy credentials used only if user supplies them). There is no unexplained request for unrelated tokens/keys.
Persistence & Privilege: okThe skill is not force-included (always=false) and does not request persistent platform privileges. It instructs use of local files (creds.json, ~/.zalo-agent/*) and starting local listeners (MCP/oa listen), but these are in-scope for the tool and documented as sensitive. No evidence the skill would modify other skills or global agent settings.