Pluginv2.3.0

ClawScan security

Openclaw Zalo Mod · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 28, 2026, 11:36 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The plugin's code mostly matches its stated purpose (Zalo group moderation) but it reads/writes global OpenClaw config and session files and auto-enables system-wide bindings — behavior that is powerful and out-of-band enough to warrant caution before installing.
Guidance: What to consider before installing: - The code will read openclaw.json and agent session files (agents/*/sessions/sessions.json) to discover groups and may read IDENTITY.md; review those files for sensitive data you don't want the plugin to access. - The setup script and runtime will automatically modify openclaw.json: it can add the plugin entry, add bindings for the zalouser channel, and set channels.zalouser.groups = {'*': {enabled: true, requireMention: false}}. That effectively gives the plugin access to group messages without explicit mentions — make sure you want that behavior. - The package does not exfiltrate data externally in the code provided, but because it reads session JSON and writes local stores/memory digests, treat it as a privileged local component. - Recommended precautions: (1) Run setup.js in a controlled/test environment first (use --openclaw-home to point at a copy). (2) Inspect the backup openclaw.json produced by the script before deploying. (3) Audit agents/*/sessions/sessions.json contents to confirm no secrets are exposed or accessible you aren't comfortable with. (4) Confirm storage locations (plugin data/ and skills/memory/) have appropriate access controls. - If you need higher assurance, request the author to remove or require explicit admin confirmation before auto-patching global bindings and channel settings, or modify the plugin to only patch its own plugin entry and require manual binding/channel changes.

Review Dimensions

Purpose & Capability: okName/description (Zalo moderation, slash commands, anti-spam, zero-token) align with the code: handlers for spam detection, warn store, slash commands, and utilities to discover groups and bot name. The code's efforts to auto-provision bindings and channel group entries are explainable as convenience for a moderation plugin.
Instruction Scope: concernRuntime instructions and code access OpenClaw installation state: they read agents/*/sessions/sessions.json, openclaw.json, and IDENTITY.md. The plugin extracts group IDs/names from session files and writes configuration and store files (violations/warned/settings) locally. While this is needed to discover groups and operate without tokens, reading full sessions.json may surface sensitive session data and the script has broad discretion to modify system config.
Install Mechanism: okThere is no remote download/install step in the package metadata or SKILL.md — code is included in the package and setup is a local Node script. No external URLs, archive extraction, or third-party installers were observed.
Credentials: noteThe skill declares no required env vars and the SKILL.md and code only reference OPENCLAW_HOME / OPENCLAW_STATE_DIR for locating the OpenClaw install — which is reasonable. It does scan agent session files (local) but it does not request or require external API keys or tokens in metadata.
Persistence & Privilege: concernThe setup script and runtime auto-patch logic write to openclaw.json (backing up first in setup.js) and will add bindings, channels.zalouser.groups, and plugin entries. Modifying system-wide OpenClaw configuration and channel bindings is a significant privilege even if justified for automation — this increases blast radius and should be reviewed by an administrator prior to running.