Back to skill

Security audit

Zalo Multi Send

Security checks across malware telemetry and agentic risk

Overview

This skill transparently sends user-selected files or URL downloads through an existing Zalo account, with privacy care needed before use.

Install only if you intend to let the skill use your existing Zalo session to send selected files. Before running it, verify the recipient ID, group flag, credential profile, and every file path or URL; avoid sending sensitive local files or private/internal URLs unless you mean to share that content with the Zalo recipient.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (1)

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill documentation explicitly supports sending local files and URL-sourced attachments to external Zalo recipients, but it does not clearly warn users that invoking the skill will transmit local data off-host. In an agent setting, this omission increases the risk of accidental data exfiltration, especially if users provide broad file paths or do not realize remote URLs may be fetched and forwarded.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.