zenzap-onboarding
Security checks across malware telemetry and agentic risk
Overview
This skill appears to do what it says—set up a Zenzap workspace—but it gives a plugin/API credentialed access to the new workspace, so users should review that access carefully.
Before installing, confirm you trust the Zenzap plugin source, understand that a real workspace and bot credentials will be created, explicitly approve the invite email and topics, and know how to revoke or rotate the API credentials if needed.
VirusTotal
66/66 vendors flagged this skill as clean.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing the plugin changes the agent environment and later gives the plugin Zenzap connection credentials.
The skill asks the user to install an external plugin, but that plugin's code and provenance are not included in the reviewed artifacts.
openclaw plugins install @zenzap-co/openclaw-plugin
Install the plugin only from a trusted source and review its permissions before configuring it.
The agent or configured plugin can act as the bot inside the Zenzap workspace using these credentials.
The skill obtains API credentials for the newly created workspace and instructs the agent/plugin to use them for authentication.
"credentials" | **API Key** for Bearer auth, **API Secret** for HMAC-SHA256 signing (store securely), **Control Topic ID**.
Treat the returned API key and secret as sensitive, store them securely, and confirm how to revoke or rotate them.
Workspace events and messages may be routed to the agent through the plugin.
The skill establishes an event-routing channel between the Zenzap workspace and the agent/plugin, which is central to the integration but carries workspace messages/events.
Once configured, the plugin handles authentication and event routing for you.
Use this only if you want the agent connected to Zenzap events, and verify what event data the plugin receives.
The agent can create channels in the new workspace after confirmation.
The skill can mutate the Zenzap workspace by creating topics, but it explicitly says to wait for user confirmation first.
Once confirmed, create each topic: POST https://api.zenzap.co/v2/topics
Confirm the exact topics before allowing creation, especially in a real company workspace.
The agent may need to ask for an email separately before creating the workspace and sending an invitation.
The listed four questions omit the human email even though the API request schema later marks humanEmail as required, so the data-collection instructions are slightly incomplete.
Ask the human these 4 questions before calling the API. Do not assume or infer any answers:
Make sure the agent explicitly asks which email address to invite before submitting the onboarding request.