ClawHub

Openclaw Zalo Mod Build

Security checks across malware telemetry and agentic risk

Overview

This Zalo moderation plugin is mostly purpose-aligned, but it takes high-impact account and system control with several under-disclosed and weakly scoped behaviors.

Review this carefully before installing. It can use your Zalo session to read group/member data and take live admin actions, send real messages, alter OpenClaw configuration, persist local records, run a dashboard with a fallback token, and contact license verification endpoints with a device-derived identifier. Install only in a controlled OpenClaw/Zalo environment where the bot account and dashboard port are protected, and prefer a readable non-obfuscated build with explicit documentation of session access, config writes, dashboard authentication, and license telemetry.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Output HandlingUnvalidated Output Injection, Cross-Context Output, Unbounded Output
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Findings (2898)

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The sidebar copy says high-risk actions always need confirmation and are audit logged, but the member kick path triggered from the member list uses a browser confirm and then directly posts `remove-user` without the two-step typed confirmation used elsewhere. This is an active contradiction between the documented safety model and implemented behavior.

Intent-Code Divergence

Low
Confidence
98% confidence
Finding
The markup declares headers for only Group, Approval, Features, and Smart modes, yet each row renders an additional fifth cell containing a Settings button. This is a direct documentation/intent mismatch inside the UI structure rather than a mere omission in code comments.

Context-Inappropriate Capability

High
Confidence
89% confidence
Finding
The code does substantially more than in-chat moderation or message handling: it starts an HTTP server, serves a dashboard, exposes authenticated API endpoints, and allows administrative actions over groups and users. With no manifest describing a web UI or remote administration surface, this is an unjustified capability relative to the skill's unknown stated purpose.

Context-Inappropriate Capability

Medium
Confidence
85% confidence
Finding
The code computes a device identifier from hostname, platform, and CPU model information, then validates license keys including outbound fetch calls to verification endpoints. For a skill whose purpose is unknown, this hardware fingerprinting and external licensing behavior is not justified by the observable chat-management functionality.

Context-Inappropriate Capability

High
Confidence
91% confidence
Finding
The code loads Zalo session data from workspace files/cookies, imports additional modules from local extension paths at runtime, and uses those sessions to enumerate groups, members, pending requests, and send messages. This is a powerful account-access capability that is not justified by any stated purpose in the absent manifest.

Intent-Code Divergence

Medium
Confidence
77% confidence
Finding
The file is heavily obfuscated, which prevents comments, identifiers, and structure from accurately communicating the implementation's real behavior. In practice, the code includes config patching, remote dashboard APIs, account/session access, and group administration capabilities that are not transparently represented by the code's inline intent signals.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
This markdown file documents a behavior that changes access control by assigning ownership based on a DM message. Because this affects system integrity and authorization, the skill description should explicitly warn users to perform it only in a trusted setup and to protect the bot account from unauthorized messages.

Missing User Warnings

Low
Confidence
84% confidence
Finding
The skill description states that the bot will query the Zalo API and persist group administrative metadata to configuration. Because this involves collecting and storing group-related identifiers, the markdown should disclose that these values are retrieved and saved locally so operators understand the privacy and configuration impact.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
This markdown file documents that the plugin saves digests into `skills/memory/`, which affects local stored data. Elsewhere it also states the bot will automatically write `ownerId` and group/admin metadata into config, but the documentation does not clearly warn users that the skill modifies local files/state as part of operation.

Missing User Warnings

Medium
Confidence
82% confidence
Finding
The dashboard description says users can compose and send messages directly to groups, which is an externally visible action that can affect user communications. The markdown explains the feature but does not include a cautionary warning that using it will send real messages to live groups.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The setup instructions state that sending a DM such as `i'm admin` causes the bot to auto-write `ownerId` to config, and `/bot-rules groupid` causes it to fetch admin metadata from the Zalo API and write it into config. These are state-changing and network-dependent behaviors, but the README does not clearly warn users that configuration will be modified automatically.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
When the page is opened from file://, the code silently falls back to `openclaw-zalo-mod` if no token is present. Because this token is then used for authenticated API calls, users are not clearly informed that the dashboard may connect using a default shared credential, which is a safety-relevant operation affecting access control.

Natural-Language Policy Violations

Low
Confidence
93% confidence
Finding
The document is declared with `lang="vi"`, and the runtime also defaults to Vietnamese unless a prior preference exists. This imposes a specific locale by default rather than offering a neutral initial choice or explicit opt-in, which conflicts with the language-choice policy.

Natural-Language Policy Violations

Low
Confidence
95% confidence
Finding
The language state is initialized from localStorage and falls back to `'vi'` when no preference has been set. Although a toggle exists later, first-run users are still placed into a specific language automatically rather than being offered a choice upfront.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
This file repeatedly writes configuration and data files, creates directories, and changes filesystem permissions, including patching config files and calling chmodSync, but provides no user confirmation prompt or clear user-facing disclosure in the code. For a code file, these are safety-relevant modifications that should be explicitly disclosed unless clearly expected from the skill's stated purpose, which is not evident from this file alone.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The code performs HTTP requests to remote license verification endpoints using the provided key and derived device identifier, but there is no visible user-facing notice or consent flow around this transmission. Network transmission of device-related data should be disclosed in code files when no warning or confirmation is present.

Natural-Language Policy Violations

Medium
Confidence
98% confidence
Finding
The skill's natural-language prompts, menus, rules, and user-facing messages are written to require Vietnamese behavior and responses, but there is no indication that users can choose another language or opt in to this locale constraint. This is a language/locale policy concern because the skill appears to enforce a specific language by default.

Vague Triggers

Medium
Confidence
92% confidence
Finding
This manifest enables the plugin on startup and whenever the generic "hook" capability is present, but it does not specify narrower trigger constraints or exclusion conditions. Because this is a manifest file, the broad activation scope can lead to unintended invocation outside a clearly defined Zalo moderation context.

Natural-Language Policy Violations

Low
Confidence
86% confidence
Finding
Several descriptions include Vietnamese text and mixed English/Vietnamese phrasing, such as configuration help strings, without indicating that the skill is intended only for Vietnamese-speaking users or offering a language/locale choice. This can violate language or locale policy when users are implicitly forced into a specific language experience.

Natural-Language Policy Violations

Low
Confidence
88% confidence
Finding
The ownerId and allowedDmUsers descriptions are written in Vietnamese, which imposes a language-specific configuration experience without opt-in or a stated regional scope. In the absence of documented locale justification, this is a natural-language policy issue.

External Transmission

Medium
Category
Data Exfiltration
Content
const donateBody = `
        <div class="donate-modal-content" style="display: flex; flex-direction: column; align-items: center; text-align: center; gap: 16px; padding: 10px 0;">
          <div style="background: white; padding: 12px; border-radius: 16px; border: 1.5px solid var(--line); display: inline-block; box-shadow: 0 10px 25px rgba(0,0,0,0.05); margin: 4px 0;">
            <img src="https://api.vietqr.io/image/970422-0962794917-MP4UJW0S.jpg?accountName=HO%20LE%20MINH%20TUAN" alt="Donate QR" style="width: 240px; height: 240px; object-fit: contain; border-radius: 8px; display: block;"/>
          </div>
          <div style="font-size: 13px; color: var(--text); display: flex; flex-direction: column; gap: 6px; background: var(--surface-2); padding: 12px 20px; border-radius: 12px; border: 1px solid var(--line); width: 100%; max-width: 320px;">
            <div style="display: flex; justify-content: space-between; gap: 12px;"><span style="color: var(--text-muted);">${t('Ngân hàng:', 'Bank:')}</span><strong style="color: var(--text);">MB Bank (Quân Đội)</strong></div>
Confidence
50% confidence
Finding
https://api.vietqr.io/

Scope Creep

Low
Category
Excessive Agency
Content
copies or substantial portions of the Software.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
Confidence
70% confidence
Finding
NOT LIMITED TO

Unbounded Output

Medium
Category
Output Handling
Content
| **Anti-Spam**            | 0     | Detect repeated messages, suspicious links, emoji floods                                                                                       |
| **Admin Notes**          | 0     | `/note [text]` — quick admin annotations                                                                                                       |
| **Memory Sync**          | 0     | `/memory` — saves context digest in `skills/memory/`                                                                                           |
| **Smart Q&A**            | 0     | Native retrieval: "who is warned?", "spam log?" via local data                                                                                 |
| **ZCA Admin Sync**       | 0     | Synchronizes `creatorId` & `adminIds` from Zalo API                                                                                            |
| **Owner DM**             | 0     | Administrative command control panel over private DM                                                                                           |
Confidence
80% confidence
Finding
spam log

Sudo/Root Execution

Medium
Category
Privilege Escalation
Content
Copy-Item -Path "D:\openclaw-zalo-mod\index.js" -Destination "E:\final\.openclaw\extensions\zalo-mod\index.js" -Force

# Fix quyền (Windows bind mount tạo quyền 777)
docker exec openclaw-bot chmod 644 /root/project/.openclaw/extensions/zalo-mod/index.js

# Restart
docker restart openclaw-bot
Confidence
80% confidence
Finding
chmod 644

Sudo/Root Execution

Medium
Category
Privilege Escalation
Content
Copy-Item -Path "D:\openclaw-zalo-mod\index.js" -Destination "E:\final\.openclaw\extensions\zalo-mod\index.js" -Force

# Fix quyền (Windows bind mount tạo quyền 777 — OpenClaw sẽ từ chối load)
docker exec openclaw-bot chmod 644 /root/project/.openclaw/extensions/zalo-mod/index.js

# Restart
docker restart openclaw-bot
Confidence
80% confidence
Finding
chmod 644

VirusTotal

64/64 vendors flagged this plugin as clean.

View on VirusTotal