← Back to Skills Marketplace
286
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install zalo-multi-send
Description
Send multiple images or files in a single Zalo message using zca-js directly. Use when the user asks to send multiple photos/files to a Zalo contact or group...
Usage Guidance
This skill appears to implement the stated feature, but take these precautions before installing or running it:
- Inspect and fix the ZCA_PATH: the script uses a hardcoded absolute path (/home/tuan/...) to require zca-js. That path is non-portable and could cause the script to load code from an unexpected user's directory. Prefer one of: (a) update the script to require the zca-js bundled by OpenClaw via a relative/known path or environment variable (e.g., allow ZCA_PATH override), (b) vendor zca-js with the skill, or (c) confirm with the publisher the correct, canonical path.
- Be aware the script reads credentials from ~/.openclaw/credentials/zalouser/credentials.json but the skill metadata didn't declare this. Confirm that the credentials file is managed by OpenClaw and contains only intended keys; do not run the script if you don't trust the credentials origin.
- Review the printed JSON output before sharing it: the script logs the full API response to stdout; inspect it for any sensitive fields you don't want exposed to logs.
- When testing, run the script under a limited user account or in a sandbox/container so any unexpected require() load executes in a controlled environment.
- If you plan to use it regularly, ask the publisher to correct the metadata (declare the credential path) and make ZCA_PATH configurable or remove hardcoded developer-specific paths.
If the publisher confirms the ZCA_PATH was a packaging mistake and provides a corrected/portable path (or an env var) and updates the metadata to declare the credential file, the concerns here would likely be resolved and confidence would increase.
Capability Analysis
Type: OpenClaw Skill
Name: zalo-multi-send
Version: 1.0.0
The skill contains a hardcoded absolute path to a specific user's home directory (/home/tuan/) for its core dependency (zca-js) in scripts/send.mjs, which is highly irregular for a portable skill bundle and suggests it was not designed for general use. While the logic aligns with the stated purpose of sending Zalo messages, the script's ability to read arbitrary local files and send them to a Zalo recipient poses a significant data exfiltration risk if the AI agent is prompted to access sensitive files (e.g., SSH keys or configuration files).
Capability Assessment
Purpose & Capability
The script's behavior (reading files/URLs and calling zca-js to send attachments) matches the skill description. However ZCA_PATH is hardcoded to an absolute developer path (/home/tuan/.../openclaw/extensions/zalouser/node_modules/zca-js) rather than using a portable or declared bundle path; the registry metadata did not declare the credential file location but the script requires ~/.openclaw/credentials/zalouser/credentials.json. These mismatches are unexpected for a publishable skill and reduce trust.
Instruction Scope
SKILL.md and the script instruct only to read local files (or fetch user-supplied URLs) and the OpenClaw-managed Zalo credentials, then call the Zalo API via zca-js. The script prints the full API result to stdout (JSON) which may include metadata — not necessarily secret but worth noting. It does not access unrelated system paths or network endpoints beyond user-supplied file URLs and the Zalo API (via zca-js).
Install Mechanism
There is no install spec (instruction-only with a shipped script), so nothing is downloaded during install. The main concern is runtime: the script requires a specific absolute path to zca-js instead of a robust resolution strategy, which is a packaging/deployment issue rather than an installer risk.
Credentials
Registry metadata declared no required env or config paths, but the script reads credentials from ~/.openclaw/credentials/zalouser/credentials.json and uses a hardcoded node-module path. The skill therefore relies on local credentials/config that were not declared in the metadata; that lack of declaration is an incoherence and a risk (the agent will fail or might load unexpected modules if the absolute path exists on the host).
Persistence & Privilege
The skill is not always-enabled and does not request elevated or persistent platform privileges. It does not modify other skills or system-wide settings; no concerning persistence behavior is present.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install zalo-multi-send - After installation, invoke the skill by name or use
/zalo-multi-send - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
Initial release: send multiple images/files in a single Zalo message using zca-js
Metadata
Frequently Asked Questions
What is Zalo Multi Send?
Send multiple images or files in a single Zalo message using zca-js directly. Use when the user asks to send multiple photos/files to a Zalo contact or group... It is an AI Agent Skill for Claude Code / OpenClaw, with 286 downloads so far.
How do I install Zalo Multi Send?
Run "/install zalo-multi-send" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Zalo Multi Send free?
Yes, Zalo Multi Send is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does Zalo Multi Send support?
Zalo Multi Send is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Zalo Multi Send?
It is built and maintained by tuanbi97 (@tuanbi97); the current version is v1.0.0.
More Skills