ClawHub

ZaloClaw

Security checks across malware telemetry and agentic risk

Overview

This plugin is a real Zalo automation channel, but it grants broad account control and includes under-disclosed passive message logging, so users should review it carefully before installing.

Install only if you are comfortable giving an AI agent extensive control over a personal Zalo account. Use allowlists, disable open group/DM access where possible, restrict dangerous actions like chat deletion and group administration, do not enable passiveCollector unless every affected group understands the logging, and protect or periodically remove the saved credential and friend-request files under ~/.openclaw.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (22)

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The tool exposes an unusually broad set of administrative capabilities far beyond normal chat transport, including friend management, group administration, profile changes, config mutation, and account-level actions. In an agent context, this greatly expands blast radius: prompt injection or misrouting could trigger destructive or privacy-impacting operations on the user's real Zalo account.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The code comments state that passiveCollector is intentionally omitted from the channel schema, yet runtime logic still reads and uses a hidden passive collector setting. Hidden, undocumented features that collect or transmit message data undermine transparency and bypass normal configuration review, making covert data collection easier.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The passive collector captures group messages, sender identifiers, timestamps, and metadata, then indexes them externally. That behavior is not necessary for basic messaging functionality and creates a surveillance/data-exfiltration channel, especially dangerous in a messaging skill that passively observes group traffic.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The document instructs the agent to run shell commands that pull code, install dependencies, run tests, and restart services. In an agent-help file, these are powerful state-changing operations that could modify the repository, execute untrusted post-install scripts, and disrupt running infrastructure if followed automatically without explicit user approval and scoped safeguards.

Context-Inappropriate Capability

Low
Confidence
94% confidence
Finding
The file directs the agent to persist knowledge using store_memory, TOOLS.md, or session context as a mandatory startup behavior. This is dangerous because it pushes the agent to write persistent state beyond the immediate task, potentially causing silent repository modification, data retention, and cross-task contamination from adversarial instructions.

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The downloader conditionally disables SSRF protections for any URL matching a broad Zalo/ZDN hostname regex via `skipSsrfCheck: isZaloCdn`. If an attacker can supply or influence such a URL, they may reach internal resources or bypass network egress safeguards, especially if the trusted domain pattern is overly broad, can be misissued, or the upstream validator would otherwise block redirects/DNS resolution edge cases.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The file-level comment states SSRF protection is provided by safeFetch, but the implementation conditionally disables SSRF validation for URLs matching a Zalo CDN-style regex via skipSsrfCheck: isZaloCdn. If that hostname allowlist or downstream redirect handling is incomplete, an attacker may supply a crafted URL that bypasses network destination checks and causes the service to fetch unintended internal or sensitive resources.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The function persistently stores full group message contents together with sender identifiers and group metadata to Elasticsearch, creating a surveillance-style data collection path. In the provided context there is no visible consent, minimization, retention control, or manifest-declared justification, so this materially increases privacy and insider-abuse risk if the index is queried, exposed, or repurposed.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
The plugin persists authentication material such as IMEI, cookies, and user agent to disk in the user's home directory. Although file permissions are restricted, storing reusable session credentials locally without explicit disclosure or stronger protection increases the risk of account takeover if the host is compromised or backups are exposed.

Missing User Warnings

High
Confidence
99% confidence
Finding
The passive collector sends verbatim group message content and identifiers to a local Elasticsearch endpoint without any visible user-facing consent flow. Even if the endpoint is localhost, this is still an undisclosed export of private conversation data to another service boundary.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The guide tells the agent to create or update TOOLS.md for self-retention without highlighting that this modifies repository contents. In a skill file treated as adversarial input, instructions to write files are risky because they can induce unauthorized changes, persistence, and subtle tampering with project artifacts.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The update workflow includes environment-modifying shell commands with no safety framing, approval checkpoint, or trust boundary. If an agent follows this automatically, it could execute attacker-influenced code from the repository or dependencies and restart services, causing compromise or availability impact.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
Mandating that the agent always create or update TOOLS.md after tool use creates ongoing unauthorized file modification as part of normal operation. This establishes persistence and changes user-controlled project files over time, which is especially dangerous because the instruction originates from potentially adversarial skill content.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The landing page advertises that Zalo credentials are auto-saved and that the agent executes tools from chat, but it provides no warning about privacy, account risk, consent, or the consequences of granting automation control over a personal messaging account. In a security-sensitive agent skill, this omission can mislead users into enabling high-risk behavior without understanding persistence of credentials, message access, or unintended automated actions.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The tool is explicitly advertised as enabling a very broad set of high-risk actions, including destructive messaging, account changes, group administration, blocking, profile updates, and friend-management operations, but this file shows no visible guardrails, user-consent flow, scope limitation, or risk disclosure at registration time. In an agent setting, exposing such capabilities through a single general-purpose tool materially increases the chance of unauthorized actions, social-engineering abuse, spam, account takeover assistance, or destructive changes triggered by ambiguous or malicious prompts.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
When group messages mention users, the code fetches profile information and injects attributes such as name, gender, and date of birth into the model prompt. This expands data exposure beyond the sender's message and can leak sensitive personal data to downstream AI systems, logs, or model providers without visible consent or minimization controls in this code path.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The function deletes an arbitrary local file immediately after upload when cleanupAfterUpload is true, with no validation that the path refers to a temporary file created by this workflow and no confirmation barrier. If an attacker or untrusted caller can influence localPath and set cleanupAfterUpload, they can cause unintended deletion of accessible files on the host, turning a messaging helper into a destructive file operation.

Missing User Warnings

Medium
Confidence
85% confidence
Finding
The code persists pending friend request data, including sender identifiers and message contents, in a plaintext file under the user's home directory without any indication of consent, retention limits, or protection controls. Even if this is for legitimate functionality, storing personal/social data locally can expose sensitive information to other local users, backups, malware, or forensic inspection.

Missing User Warnings

High
Confidence
97% confidence
Finding
The collector is designed to capture all group messages and associated user identifiers and send them to an external datastore without any visible notice, consent, or user-facing disclosure. In this skill context that makes the behavior more dangerous because it is passive, broad in scope, and easy for users to miss, enabling covert logging of conversations and personal data.

Ssd 3

High
Confidence
99% confidence
Finding
The passive collector stores verbatim group messages along with sender IDs/names and timestamps in an external datastore, creating a durable record of private communications. This materially increases privacy risk, breach impact, and misuse potential, especially because collection is passive and hidden behind plugin configuration rather than overt user action.

Ssd 3

Medium
Confidence
95% confidence
Finding
The code prepends buffered recent group chat and mentioned-user profile details directly into the AI context, exposing messages and personal attributes from users other than the active requester. In a chat-to-LLM integration, this creates a concrete confidentiality risk because unrelated participants' content is forwarded to the model and persisted in session metadata.

Ssd 3

Medium
Confidence
90% confidence
Finding
The passive collector stores all group message content for later use, which is broad retention of user-generated data without visible scoping, minimization, or retention controls in this file. If the backing store is queried later or compromised, entire group conversations may be exposed beyond the original chat context.

VirusTotal

61/61 vendors flagged this plugin as clean.

View on VirusTotal