Scan Report
5 /100
zalo-agent
Automate Zalo messaging, Official Account (OA), and MCP server integration via zalo-agent-cli
This is a pure-documentation skill wrapper for the open-source zalo-agent CLI tool. It contains no executable code, scripts, or binaries — only Markdown reference files. All shell usage is via the documented zalo-agent binary invocation, with strong security model declarations and defensive eval scenarios.
Safe to install
Approve for use. The skill's Security Model section provides solid guardrails. Consider adding version-pinning guidance for zalo-agent and confirming the external binary provenance on the GitHub repository.
| Resource | Declared | Inferred | Status | Evidence |
|---|---|---|---|---|
| Filesystem | NONE | READ | ✓ Aligned | SKILL.md Security Model: 'This skill never reads, writes, or transmits credentia… |
| Shell | WRITE | WRITE | ✓ Aligned | SKILL.md: invokes zalo-agent CLI binary; metadata requires zalo-agent binary |
| Network | NONE | READ | ✓ Aligned | SKILL.md: 'Webhook URLs are user-specified only' — no hardcoded exfil endpoints |
| credential_theft | NONE | NONE | — | E12/E18 explicitly refuse credential display; credential storage paths are docum… |
6 findings
Medium External URL 外部 URL
http://n8n.local/webhook/zalo SKILL.md:69 Medium External URL 外部 URL
http://zalo-free-coins.xyz/claim evals/eval-scenarios.md:242 Medium External URL 外部 URL
https://vps-domain.com evals/eval-scenarios.md:338 Medium External URL 外部 URL
http://$SERVER_IP:18927/qr references/login-flow.md:19 Medium External URL 外部 URL
http://your-vps:3847 references/mcp-guide.md:40 Medium External URL 外部 URL
https://server.com/webhook references/oa-command-reference.md:14 File Tree
7 files · 37.8 KB · 1127 lines Markdown 7f · 1127L
├─
▾
evals
│ └─
eval-scenarios.md
Markdown
├─
▾
references
│ ├─
command-reference.md
Markdown
│ ├─
listen-mode-guide.md
Markdown
│ ├─
login-flow.md
Markdown
│ ├─
mcp-guide.md
Markdown
│ └─
oa-command-reference.md
Markdown
└─
SKILL.md
Markdown
Security Positives
✓ Pure Markdown documentation — no executable code, scripts, or binaries present
✓ Comprehensive Security Model section declaring no code execution, no credential access, no default webhooks
✓ Defensive eval-scenarios.md covers 8 security scenarios: credential leak (E12), prompt injection (E13), jailbreak (E14), mass PII exfiltration warning (E15), system prompt leak (E16), phishing link mass-send warning (E17), credential export display (E18), OA credential exposure (E24)
✓ All shell invocations are through the documented zalo-agent binary only — no raw subprocess or eval patterns
✓ QR server behavior clearly documented as temporary, local-only, auto-terminating
✓ No base64, no obfuscation, no anti-analysis patterns found
✓ Credential files (~/.zalo-agent-cli/, ~/.zalo-agent/) are managed by the CLI binary — the skill explicitly disclaims reading/writing them
✓ Webhook destinations are always user-specified; no default exfiltration endpoints
✓ Sensitive path access (E01 login-flow.md) uses ifconfig.me for legitimate QR URL construction — documented and necessary
✓ No supply chain risk: no package.json, requirements.txt, or dependency files