ClawHub

Openclaw Skill Zalo Sticker Mention

Security checks across malware telemetry and agentic risk

Overview

The skill does what it says, but it permanently patches installed Zalo driver code across discovered OpenClaw locations without enough scoping or confirmation.

Review mentions.js before installing, and only run it if you intentionally want to modify the installed @openclaw/zalouser driver. Prefer testing in a disposable or non-production OpenClaw workspace first, because the patch may affect multiple discovered Zalo driver installs and will persist until restored with the provided --restore command.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (6)

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
Telling users to run a local Node.js patch script for a messaging convenience feature expands the trust boundary from normal skill use to arbitrary local code execution. In this context, the script appears unnecessary from the user-facing description alone, so the instruction can conceal privileged filesystem or package tampering and creates a social-engineering path to unsafe execution.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The script scans multiple installation paths, locates built library artifacts, and rewrites dependency files in place to inject new behavior. That is a powerful and invasive capability far beyond a normal skill boundary, creates persistent supply-chain style modification of shared code, and can affect other skills or projects using the same library.

Context-Inappropriate Capability

High
Confidence
95% confidence
Finding
The patcher/restore utility gives the skill arbitrary code modification capability over installed library files, which is not required for simply tagging users and sending stickers. Even if intended for compatibility, this broad file-write behavior expands the attack surface and enables persistent tampering of runtime dependencies.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The README explicitly instructs users to run a patch script that modifies channel driver files in the workspace, but it does not clearly warn that installation changes application code and could affect bot behavior, stability, or future upgrades. In a skill ecosystem, encouraging direct patching without prominent cautions increases the risk of unsafe deployment and makes it easier for users to apply invasive changes without understanding the consequences.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The script overwrites installed files and creates/restores backups with only console logs, not meaningful consent or safety checks. Silent modification of dependencies can break environments, undermine operator trust, and make unauthorized tampering harder to notice, especially because the changes persist beyond one execution.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
Writing modified code into discovered dependency files after scanning multiple project roots is dangerous because it silently affects whichever matching installations are found, potentially including shared or unrelated projects. The combination of broad path discovery and unconditional writes increases the risk of unintended cross-project modification and persistent compromise of dependency code.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal