← 返回 Skills 市场
286
总下载
0
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install zalo-multi-send
功能描述
Send multiple images or files in a single Zalo message using zca-js directly. Use when the user asks to send multiple photos/files to a Zalo contact or group...
安全使用建议
This skill appears to implement the stated feature, but take these precautions before installing or running it:
- Inspect and fix the ZCA_PATH: the script uses a hardcoded absolute path (/home/tuan/...) to require zca-js. That path is non-portable and could cause the script to load code from an unexpected user's directory. Prefer one of: (a) update the script to require the zca-js bundled by OpenClaw via a relative/known path or environment variable (e.g., allow ZCA_PATH override), (b) vendor zca-js with the skill, or (c) confirm with the publisher the correct, canonical path.
- Be aware the script reads credentials from ~/.openclaw/credentials/zalouser/credentials.json but the skill metadata didn't declare this. Confirm that the credentials file is managed by OpenClaw and contains only intended keys; do not run the script if you don't trust the credentials origin.
- Review the printed JSON output before sharing it: the script logs the full API response to stdout; inspect it for any sensitive fields you don't want exposed to logs.
- When testing, run the script under a limited user account or in a sandbox/container so any unexpected require() load executes in a controlled environment.
- If you plan to use it regularly, ask the publisher to correct the metadata (declare the credential path) and make ZCA_PATH configurable or remove hardcoded developer-specific paths.
If the publisher confirms the ZCA_PATH was a packaging mistake and provides a corrected/portable path (or an env var) and updates the metadata to declare the credential file, the concerns here would likely be resolved and confidence would increase.
功能分析
Type: OpenClaw Skill
Name: zalo-multi-send
Version: 1.0.0
The skill contains a hardcoded absolute path to a specific user's home directory (/home/tuan/) for its core dependency (zca-js) in scripts/send.mjs, which is highly irregular for a portable skill bundle and suggests it was not designed for general use. While the logic aligns with the stated purpose of sending Zalo messages, the script's ability to read arbitrary local files and send them to a Zalo recipient poses a significant data exfiltration risk if the AI agent is prompted to access sensitive files (e.g., SSH keys or configuration files).
能力评估
Purpose & Capability
The script's behavior (reading files/URLs and calling zca-js to send attachments) matches the skill description. However ZCA_PATH is hardcoded to an absolute developer path (/home/tuan/.../openclaw/extensions/zalouser/node_modules/zca-js) rather than using a portable or declared bundle path; the registry metadata did not declare the credential file location but the script requires ~/.openclaw/credentials/zalouser/credentials.json. These mismatches are unexpected for a publishable skill and reduce trust.
Instruction Scope
SKILL.md and the script instruct only to read local files (or fetch user-supplied URLs) and the OpenClaw-managed Zalo credentials, then call the Zalo API via zca-js. The script prints the full API result to stdout (JSON) which may include metadata — not necessarily secret but worth noting. It does not access unrelated system paths or network endpoints beyond user-supplied file URLs and the Zalo API (via zca-js).
Install Mechanism
There is no install spec (instruction-only with a shipped script), so nothing is downloaded during install. The main concern is runtime: the script requires a specific absolute path to zca-js instead of a robust resolution strategy, which is a packaging/deployment issue rather than an installer risk.
Credentials
Registry metadata declared no required env or config paths, but the script reads credentials from ~/.openclaw/credentials/zalouser/credentials.json and uses a hardcoded node-module path. The skill therefore relies on local credentials/config that were not declared in the metadata; that lack of declaration is an incoherence and a risk (the agent will fail or might load unexpected modules if the absolute path exists on the host).
Persistence & Privilege
The skill is not always-enabled and does not request elevated or persistent platform privileges. It does not modify other skills or system-wide settings; no concerning persistence behavior is present.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install zalo-multi-send - 安装完成后,直接呼叫该 Skill 的名称或使用
/zalo-multi-send触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
Initial release: send multiple images/files in a single Zalo message using zca-js
元数据
常见问题
Zalo Multi Send 是什么?
Send multiple images or files in a single Zalo message using zca-js directly. Use when the user asks to send multiple photos/files to a Zalo contact or group... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 286 次。
如何安装 Zalo Multi Send?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install zalo-multi-send」即可一键安装,无需额外配置。
Zalo Multi Send 是免费的吗?
是的,Zalo Multi Send 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
Zalo Multi Send 支持哪些平台?
Zalo Multi Send 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Zalo Multi Send?
由 tuanbi97(@tuanbi97)开发并维护,当前版本 v1.0.0。
推荐 Skills