zalo-agent 安全扫描报告 — 可信 | ClawSafe

5 /100

zalo-agent

Automate Zalo messaging, Official Account (OA), and MCP server integration via zalo-agent-cli

This is a pure-documentation skill wrapper for the open-source zalo-agent CLI tool. It contains no executable code, scripts, or binaries — only Markdown reference files. All shell usage is via the documented zalo-agent binary invocation, with strong security model declarations and defensive eval scenarios.

技能名称zalo-agent

分析耗时34.0s

引擎pi

✓

可以安装

Approve for use. The skill's Security Model section provides solid guardrails. Consider adding version-pinning guidance for zalo-agent and confirming the external binary provenance on the GitHub repository.

资源类型	声明权限	推断权限	状态	证据
文件系统	`NONE`	`READ`	✓ 一致	SKILL.md Security Model: 'This skill never reads, writes, or transmits credentia…
命令执行	`WRITE`	`WRITE`	✓ 一致	SKILL.md: invokes zalo-agent CLI binary; metadata requires zalo-agent binary
网络访问	`NONE`	`READ`	✓ 一致	SKILL.md: 'Webhook URLs are user-specified only' — no hardcoded exfil endpoints
凭证窃取	`NONE`	`NONE`	—	E12/E18 explicitly refuse credential display; credential storage paths are docum…

6 项发现

🔗

中危外部 URL 外部 URL

http://n8n.local/webhook/zalo

SKILL.md:69

🔗

中危外部 URL 外部 URL

http://zalo-free-coins.xyz/claim

evals/eval-scenarios.md:242

🔗

中危外部 URL 外部 URL

https://vps-domain.com

evals/eval-scenarios.md:338

🔗

中危外部 URL 外部 URL

http://$SERVER_IP:18927/qr

references/login-flow.md:19

🔗

中危外部 URL 外部 URL

http://your-vps:3847

references/mcp-guide.md:40

🔗

中危外部 URL 外部 URL

https://server.com/webhook

references/oa-command-reference.md:14

目录结构

7 文件 · 37.8 KB · 1127 行

Markdown 7f · 1127L

├─ ▾ 📁 evals

│ └─ 📝 eval-scenarios.md Markdown 359L · 11.9 KB

├─ ▾ 📁 references

│ ├─ 📝 command-reference.md Markdown 143L · 4.9 KB

│ ├─ 📝 listen-mode-guide.md Markdown 82L · 2.5 KB

│ ├─ 📝 login-flow.md Markdown 76L · 2.3 KB

│ ├─ 📝 mcp-guide.md Markdown 174L · 4.0 KB

│ └─ 📝 oa-command-reference.md Markdown 128L · 3.7 KB

└─ 📝 SKILL.md Markdown 165L · 8.4 KB

安全亮点

✓ Pure Markdown documentation — no executable code, scripts, or binaries present

✓ Comprehensive Security Model section declaring no code execution, no credential access, no default webhooks

✓ Defensive eval-scenarios.md covers 8 security scenarios: credential leak (E12), prompt injection (E13), jailbreak (E14), mass PII exfiltration warning (E15), system prompt leak (E16), phishing link mass-send warning (E17), credential export display (E18), OA credential exposure (E24)

✓ All shell invocations are through the documented zalo-agent binary only — no raw subprocess or eval patterns

✓ QR server behavior clearly documented as temporary, local-only, auto-terminating

✓ No base64, no obfuscation, no anti-analysis patterns found

✓ Credential files (~/.zalo-agent-cli/, ~/.zalo-agent/) are managed by the CLI binary — the skill explicitly disclaims reading/writing them

✓ Webhook destinations are always user-specified; no default exfiltration endpoints

✓ Sensitive path access (E01 login-flow.md) uses ifconfig.me for legitimate QR URL construction — documented and necessary

✓ No supply chain risk: no package.json, requirements.txt, or dependency files