← 返回 Skills 市场
2100
总下载
0
收藏
2
当前安装
2
版本数
在 OpenClaw 中安装
/install zalo
功能描述
OpenClaw skill for Zalo Bot API workflows (bot token) plus optional guidance on unofficial personal automation tools.
安全使用建议
This skill appears to be a legitimate Zalo bot guidance bundle, but it has two practical issues to consider before installing: (1) the skill's documents expect you to supply sensitive secrets (e.g., ZALO_BOT_TOKEN, optional tokenFile, webhookSecret), yet the registry metadata does not declare these required environment variables — verify what secrets the skill will actually read and how they will be provided; (2) the included 'personal automation' notes reference cookies and device identifiers (sensitive session state) and are explicitly unofficial — avoid using that branch in production and do not store cookies on shared hosts. Because this is instruction-only, there's no code to audit here, so confirm with the publisher (or view an implementation) how tokens and tokenFiles are read, whether anything will be transmitted to third-party endpoints, and whether the agent will be given those secrets for autonomous invocation. If the publisher updates the metadata to declare required env vars and provides an implementation you can inspect, re-evaluate; until then treat token/cookie provisioning conservatively and limit scope (use dev tokens, allowlists, rotate tokens).
功能分析
Type: OpenClaw Skill
Name: zalo
Version: 1.0.1
The skill is classified as suspicious due to its detailed guidance on 'unofficial personal automation' methods that involve handling highly sensitive 'cookies and device identifiers' for Zalo Web, as outlined in `references/zalo-personal-zca-js.md`. While the documentation explicitly warns about the risks (violating platform terms, account bans, sensitivity of cookies), providing instructions on how to manage such sensitive, non-API-based authentication data for potentially unauthorized automation introduces a significant security risk. The mention of `zca-js` and `zca-cli` also points to reliance on external, unofficial tools.
能力评估
Purpose & Capability
The name/description and all reference documents consistently describe Zalo Bot API workflows (token-based) and a clearly marked unofficial personal-automation branch. That capability set is coherent with a Zalo bot skill. However, the SKILL.md and references explicitly mention environment/config keys (e.g., ZALO_BOT_TOKEN, channels.zalo.botToken, tokenFile, webhookSecret) and say a bot token is a required input, but the registry metadata lists no required env vars or primary credential — an inconsistency between declared metadata and the instructions.
Instruction Scope
The SKILL.md and referenced files are operational guidance for webhook/polling, token handling, UX, routing, and cautions for unofficial automation. They do not instruct the agent to read unrelated system files or exfiltrate data; they explicitly advise not to log tokens and to protect cookies. The scope stays within building and operating a Zalo bot, aside from the separate personal-automation notes which deal with sensitive session state.
Install Mechanism
This is instruction-only with no install spec and no code files to execute — lowest install risk. The preregistry scan had nothing to analyze.
Credentials
The skill clearly needs sensitive credentials (bot token) and the personal-automation branch discusses cookies/device IDs, but the registry metadata does not declare any required env vars or primary credential. That omission is a red flag: the runtime instructions rely on secrets but the skill metadata does not advertise or restrict them. While the requested secrets are appropriate for a bot skill, the mismatch can lead to accidental exposure or improper handling. The personal-automation guidance also implies handling of very sensitive session cookies which increases risk if misused.
Persistence & Privilege
always is false and there are no install hooks or claims of modifying other skills or system-wide settings. The skill does not request permanent presence or elevated agent privileges in the metadata.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install zalo - 安装完成后,直接呼叫该 Skill 的名称或使用
/zalo触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.1
Version 1.0.1
- Added comprehensive reference documentation covering Zalo Bot API workflow, token setup, messaging capabilities, webhook handling, automation, and unofficial personal-account integration.
- Updated skill description to clarify support for bot tokens and mark unofficial personal methods separately.
- Expanded operational and security guidance, including messaging, validation, and automation best practices.
- Improved output expectations, providing clearer plans and checklists for bot workflow and integration tasks.
v1.0.0
- Initial release of the Zalo skill with integration guidance for Zalo OA and ZNS.
- Covers authentication, messaging, webhooks, and operational safety best practices.
- Includes checklists for rate limits, logging, and error handling.
- Provides input requirements and recommended outputs for integration planning.
元数据
常见问题
Zalo 是什么?
OpenClaw skill for Zalo Bot API workflows (bot token) plus optional guidance on unofficial personal automation tools. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 2100 次。
如何安装 Zalo?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install zalo」即可一键安装,无需额外配置。
Zalo 是免费的吗?
是的,Zalo 完全免费(开源免费),可自由下载、安装和使用。
Zalo 支持哪些平台?
Zalo 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Zalo?
由 codedao12(@codedao12)开发并维护,当前版本 v1.0.1。
推荐 Skills