ClawHub
Code Pluginsource linkedVerified

Zalov2026.5.28

OpenClaw Zalo channel plugin for bot and webhook chats.

@openclaw/zalo·runtime zalo·by @openclaw
openclaw plugins install clawhub:@openclaw/zalo
Latest release: v2026.5.28Download zip

Capabilities

Tags
executes-codechannel:zalosetupartifact:npm-packnpm-mirror:available
Channels
zalo
configSchema
Yes
Executes code
Yes
HTTP routes
0
Runtime ID
zalo
Setup entry
Yes

Compatibility

Built With Open Claw Version
2026.5.28
Min Gateway Version
>=2026.4.10
Plugin Api Range
>=2026.5.28
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The package describes itself as a Zalo channel plugin, and the code implements Zalo Bot API send, polling, webhook, media, setup, pairing, allowlist, and status behavior consistent with that purpose.
Instruction Scope
Runtime actions are scoped to the Zalo channel and configured accounts; message sending, inbound dispatch, webhook registration, and setup prompts are disclosed by the plugin metadata and README.
Install Mechanism
The package is a trusted official @openclaw npm-pack release with no install scripts identified and only a pinned zod dependency in the shrinkwrap.
Credentials
The plugin reads configured Zalo secrets from config, env, or an explicit token file, performs network calls to Zalo and configured media/webhook URLs, and may use a user-configured proxy; these are proportionate for a messaging integration.
Persistence & Privilege
It can run a polling loop or register webhook HTTP routes while the channel is enabled, set/delete the Zalo webhook, and temporarily store outbound media in a private temp directory with token-gated access and cleanup.
Scan Findings in Context
[SkillSpector] expected: SkillSpector reported no issues; artifact review did not find hidden or purpose-mismatched behavior.
[VirusTotal] expected: VirusTotal telemetry was clean across supplied engines; this supports but does not determine the benign verdict.
Assessment
Install only if you intend OpenClaw to operate a Zalo bot. Configure the bot token and webhook secret carefully, use allowlists or pairing for access control, and understand that enabling webhook or polling mode lets the plugin receive Zalo messages and send replies through your bot account.
dist/monitor-De6CIauS.js:499
File appears to expose a hardcoded API secret or token.
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Verification

Tier
source linked
Scope
artifact only
Summary
Validated package structure and linked the release to source metadata.
Source
github.com/openclaw/openclaw
Commit
e93216080aa1
Tag
refs/heads/release/2026.5.28
Provenance
No
Scan status
clean

Tags

alpha
2026.5.19-alpha.1
beta
2026.6.1-beta.1
latest
2026.5.28

@openclaw/zalo

Zalo channel plugin for OpenClaw (Bot API).

Install (local checkout)

openclaw plugins install ./path/to/local/zalo-plugin

Install (npm)

openclaw plugins install @openclaw/zalo

Onboarding: select Zalo and confirm the install prompt to fetch the plugin automatically.

Config

{
  channels: {
    zalo: {
      enabled: true,
      botToken: "12345689:abc-xyz",
      dmPolicy: "pairing",
      proxy: "http://proxy.local:8080",
    },
  },
}

Webhook mode

{
  channels: {
    zalo: {
      webhookUrl: "https://example.com/zalo-webhook",
      webhookSecret: "your-secret-8-plus-chars",
      webhookPath: "/zalo-webhook",
    },
  },
}

If webhookPath is omitted, the plugin uses the webhook URL path.

Restart the gateway after config changes.