← Back to Skills Marketplace
2100
Downloads
0
Stars
2
Active Installs
2
Versions
Install in OpenClaw
/install zalo
Description
OpenClaw skill for Zalo Bot API workflows (bot token) plus optional guidance on unofficial personal automation tools.
Usage Guidance
This skill appears to be a legitimate Zalo bot guidance bundle, but it has two practical issues to consider before installing: (1) the skill's documents expect you to supply sensitive secrets (e.g., ZALO_BOT_TOKEN, optional tokenFile, webhookSecret), yet the registry metadata does not declare these required environment variables — verify what secrets the skill will actually read and how they will be provided; (2) the included 'personal automation' notes reference cookies and device identifiers (sensitive session state) and are explicitly unofficial — avoid using that branch in production and do not store cookies on shared hosts. Because this is instruction-only, there's no code to audit here, so confirm with the publisher (or view an implementation) how tokens and tokenFiles are read, whether anything will be transmitted to third-party endpoints, and whether the agent will be given those secrets for autonomous invocation. If the publisher updates the metadata to declare required env vars and provides an implementation you can inspect, re-evaluate; until then treat token/cookie provisioning conservatively and limit scope (use dev tokens, allowlists, rotate tokens).
Capability Analysis
Type: OpenClaw Skill
Name: zalo
Version: 1.0.1
The skill is classified as suspicious due to its detailed guidance on 'unofficial personal automation' methods that involve handling highly sensitive 'cookies and device identifiers' for Zalo Web, as outlined in `references/zalo-personal-zca-js.md`. While the documentation explicitly warns about the risks (violating platform terms, account bans, sensitivity of cookies), providing instructions on how to manage such sensitive, non-API-based authentication data for potentially unauthorized automation introduces a significant security risk. The mention of `zca-js` and `zca-cli` also points to reliance on external, unofficial tools.
Capability Assessment
Purpose & Capability
The name/description and all reference documents consistently describe Zalo Bot API workflows (token-based) and a clearly marked unofficial personal-automation branch. That capability set is coherent with a Zalo bot skill. However, the SKILL.md and references explicitly mention environment/config keys (e.g., ZALO_BOT_TOKEN, channels.zalo.botToken, tokenFile, webhookSecret) and say a bot token is a required input, but the registry metadata lists no required env vars or primary credential — an inconsistency between declared metadata and the instructions.
Instruction Scope
The SKILL.md and referenced files are operational guidance for webhook/polling, token handling, UX, routing, and cautions for unofficial automation. They do not instruct the agent to read unrelated system files or exfiltrate data; they explicitly advise not to log tokens and to protect cookies. The scope stays within building and operating a Zalo bot, aside from the separate personal-automation notes which deal with sensitive session state.
Install Mechanism
This is instruction-only with no install spec and no code files to execute — lowest install risk. The preregistry scan had nothing to analyze.
Credentials
The skill clearly needs sensitive credentials (bot token) and the personal-automation branch discusses cookies/device IDs, but the registry metadata does not declare any required env vars or primary credential. That omission is a red flag: the runtime instructions rely on secrets but the skill metadata does not advertise or restrict them. While the requested secrets are appropriate for a bot skill, the mismatch can lead to accidental exposure or improper handling. The personal-automation guidance also implies handling of very sensitive session cookies which increases risk if misused.
Persistence & Privilege
always is false and there are no install hooks or claims of modifying other skills or system-wide settings. The skill does not request permanent presence or elevated agent privileges in the metadata.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install zalo - After installation, invoke the skill by name or use
/zalo - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.1
Version 1.0.1
- Added comprehensive reference documentation covering Zalo Bot API workflow, token setup, messaging capabilities, webhook handling, automation, and unofficial personal-account integration.
- Updated skill description to clarify support for bot tokens and mark unofficial personal methods separately.
- Expanded operational and security guidance, including messaging, validation, and automation best practices.
- Improved output expectations, providing clearer plans and checklists for bot workflow and integration tasks.
v1.0.0
- Initial release of the Zalo skill with integration guidance for Zalo OA and ZNS.
- Covers authentication, messaging, webhooks, and operational safety best practices.
- Includes checklists for rate limits, logging, and error handling.
- Provides input requirements and recommended outputs for integration planning.
Metadata
Frequently Asked Questions
What is Zalo?
OpenClaw skill for Zalo Bot API workflows (bot token) plus optional guidance on unofficial personal automation tools. It is an AI Agent Skill for Claude Code / OpenClaw, with 2100 downloads so far.
How do I install Zalo?
Run "/install zalo" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Zalo free?
Yes, Zalo is completely free (open-source). You can download, install and use it at no cost.
Which platforms does Zalo support?
Zalo is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Zalo?
It is built and maintained by codedao12 (@codedao12); the current version is v1.0.1.
More Skills