Openclaw Zalo Mod
WarnAudited by ClawScan on May 12, 2026.
Overview
The plugin mostly matches its Zalo moderation purpose, but it can automatically broaden OpenClaw/Zalo access and bootstrap powerful owner control through DM, so it should be reviewed before use.
Install only if you want this plugin to manage Zalo group moderation. Before enabling it, set ownerId and allowedDmUsers yourself, review any openclaw.json changes, avoid wildcard all-group access unless intended, and decide whether chat tracking or memory storage is appropriate for your groups.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the bot is reachable before the intended owner safely claims it, another person could become owner and control moderation settings across Zalo groups.
The documented setup grants bot owner authority from a private-message command. Owner authority is high-impact because the same README lists DM commands that can mute, silence, track, welcome, and follow groups.
Bước 2: Nhận quyền Owner ... Gửi tin nhắn DM riêng cho bot: i'm admin ... Bot sẽ tự động ghi ownerId vào config
Preconfigure ownerId and allowedDmUsers before enabling the plugin, or require a local/admin confirmation step before accepting any DM-based owner claim.
The bot may start processing Zalo messages across more groups than the user intended, and existing OpenClaw channel behavior may be changed automatically.
The plugin can automatically modify OpenClaw configuration to bind the Zalo channel to an agent and enable all groups with a wildcard instead of requiring explicit per-group selection.
config.bindings.push({ agentId, match: { channel: 'zalouser' } }); ... config.channels.zalouser.groups = { '*': { enabled: true, requireMention: false } };Require explicit user approval for openclaw.json changes, avoid wildcard group enablement by default, and document exactly which bindings and group settings will be changed.
Group IDs and labels from existing OpenClaw sessions may be used to populate the plugin's configuration.
The plugin reads OpenClaw session metadata across agent directories to discover Zalo groups. This is purpose-aligned for group registration, but it touches local session state beyond the plugin's own data directory.
// Also scan agents/ dir for any agent ... const sessPath = path.join(openclawHome, 'agents', aid, 'sessions', 'sessions.json');
Run it only in an OpenClaw home where the plugin is allowed to see those agent sessions, and prefer an explicit agent/group selection when possible.
Zalo group information may be stored locally and later reused by the bot or memory system.
The plugin can persist group-derived content into local memory and can enable chat history tracking. This is disclosed and related to moderation, but it affects privacy and future agent context.
Memory Sync ... /[botname]-memory — lưu digest vào skills/memory/ ... tracking-on — Bật ghi lịch sử chat
Enable memory and tracking only for groups that have consented, review the stored memory files periodically, and define retention or deletion practices.