扫描报告
5 /100
zalo-multi-send
Send multiple images or files in a single Zalo message using zca-js directly
This is a legitimate Zalo multi-file sending utility that reads credentials locally for authentication and uses them only to send files via Zalo API—no exfiltration, no obfuscation, no unauthorized access.
可以安装
No action needed. The skill is safe to use.
| 资源类型 | 声明权限 | 推断权限 | 状态 | 证据 |
|---|---|---|---|---|
| 文件系统 | READ | READ | ✓ 一致 | scripts/send.mjs:47-48 reads credentials.json; line 73 reads local files |
| 网络访问 | READ | READ | ✓ 一致 | scripts/send.mjs:68 uses fetch() to download URLs for attachments only |
| 环境变量 | NONE | READ | ✓ 一致 | scripts/send.mjs:49 uses os.homedir() to locate credentials path |
| 命令执行 | NONE | NONE | — | No subprocess or exec calls found |
| 技能调用 | NONE | NONE | — | No recursive skill invocation |
| 剪贴板 | NONE | NONE | — | No clipboard access |
| 浏览器 | NONE | NONE | — | No browser automation |
| 数据库 | NONE | NONE | — | No database access |
2 项发现
中危 外部 URL 外部 URL
https://files.catbox.moe/abc.png SKILL.md:42 中危 外部 URL 外部 URL
https://files.catbox.moe/def.png SKILL.md:42 目录结构
2 文件 · 6.2 KB · 163 行 JavaScript 1f · 105L
Markdown 1f · 58L
├─
▾
scripts
│ └─
send.mjs
JavaScript
└─
SKILL.md
Markdown
安全亮点
✓ Credentials used only for local Zalo API authentication, not exfiltrated
✓ URL fetching restricted to loading attachment files (not for C2 or data theft)
✓ No base64 encoding, obfuscation, or anti-analysis techniques
✓ No remote script execution (curl|bash, wget|sh)
✓ No subprocess or shell command execution
✓ No access to sensitive paths like ~/.ssh, ~/.aws, or .env
✓ Clear documentation with accurate capability declarations
✓ Uses openclaw's credential management system as intended
✓ Hardcoded ZCA_PATH is a minor usability issue but not a security risk—it references the legitimate bundled zca-js library