ClawHub
Code Pluginsource linkedVerified

Zalo Personalv2026.5.28

OpenClaw Zalo Personal Account plugin via native zca-js integration.

@openclaw/zalouser·runtime zalouser·by @openclaw
openclaw plugins install clawhub:@openclaw/zalouser
Latest release: v2026.5.28Download zip

Capabilities

Tags
executes-codechannel:zalousersetupartifact:npm-packnpm-mirror:available
Channels
zalouser
configSchema
Yes
Executes code
Yes
HTTP routes
0
Runtime ID
zalouser
Setup entry
Yes

Compatibility

Built With Open Claw Version
2026.5.28
Min Gateway Version
>=2026.4.10
Plugin Api Range
>=2026.5.28
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The package is an official @openclaw Zalo Personal channel plugin that logs in with QR, stores a Zalo session, listens for inbound messages, lists contacts/groups, and sends messages/media/reactions; those capabilities align with the README, manifest, and channel registration.
Instruction Scope
The agent tool can send Zalo messages and use ambient conversation context, so users should only enable it for agents and workflows trusted to communicate externally. The package also includes dmPolicy, groupPolicy, allowlist, pairing, and mention controls.
Install Mechanism
The package metadata shows a normal npm-pack plugin with pinned dependencies and no package lifecycle install scripts; activation is not on startup by manifest, though the channel listener starts when the configured channel account is enabled by the gateway.
Credentials
Network access to Zalo, contact/group lookups, inbound message forwarding to the OpenClaw agent pipeline, and media upload/download handling are sensitive but proportionate for a personal messaging channel.
Persistence & Privilege
The plugin persists Zalo cookies/session material under OpenClaw state using a private file store and supports logout cleanup; QR login images are also written to a temp path for scanning, which is expected but worth treating as short-lived authentication material.
Scan Findings in Context
[SDI-2] expected: The resolver does choose the first match for ambiguous friend/group name lookups, but it reports a multiple-match note and the plugin encourages stable numeric IDs; name-based matching is a convenience and should be avoided for sensitive routing.
[SQP-2] expected: The send/image/link actions are real outbound messaging capabilities, but that is the plugin's stated purpose and the tool description discloses it; risk comes from granting agents external communication authority, not from hidden behavior.
[SQP-2] expected: The inbound context includes sender, conversation, message, quote, and limited group metadata so an agent can route and reply; this is expected for a chat integration, with privacy implications users should understand.
[SQP-2] expected: Writing the QR image to a predictable temp file is part of the disclosed QR login flow and is surfaced to the user, but the file should be treated as sensitive until it expires or is removed.
Assessment
Install only if you want OpenClaw agents to read and reply through a Zalo personal account. Keep dmPolicy on pairing or allowlist, use numeric user/group IDs instead of name matching for important routes, limit which agents can use the zalouser tool, and remove QR temp files or log out when you no longer need the session.

Verification

Tier
source linked
Scope
artifact only
Summary
Validated package structure and linked the release to source metadata.
Source
github.com/openclaw/openclaw
Commit
e93216080aa1
Tag
refs/heads/release/2026.5.28
Provenance
No
Scan status
clean

Tags

alpha
2026.5.19-alpha.1
beta
2026.6.1-beta.1
latest
2026.5.28

@openclaw/zalouser

OpenClaw extension for Zalo Personal Account messaging via native zca-js integration.

Warning: Using Zalo automation may result in account suspension or ban. Use at your own risk. This is an unofficial integration.

Features

  • Channel plugin integration with setup wizard + QR login
  • In-process listener/sender via zca-js (no external CLI)
  • Multi-account support
  • Agent tool integration (zalouser)
  • DM/group policy support

Prerequisites

  • OpenClaw Gateway
  • Zalo mobile app (for QR login)

No external zca, openzca, or zca-cli binary is required.

Install

Option A: npm

openclaw plugins install @openclaw/zalouser

Option B: local source checkout

PLUGIN_SRC=./path/to/local/zalouser-plugin
openclaw plugins install "$PLUGIN_SRC"
cd "$PLUGIN_SRC" && pnpm install

Restart the Gateway after install.

Quick start

Login (QR)

openclaw channels login --channel zalouser

Scan the QR code with the Zalo app on your phone.

Enable channel

channels:
  zalouser:
    enabled: true
    dmPolicy: pairing # pairing | allowlist | open | disabled

Send a message

openclaw message send --channel zalouser --target <threadId> --message "Hello from OpenClaw"

Configuration

Basic:

channels:
  zalouser:
    enabled: true
    dmPolicy: pairing

Multi-account:

channels:
  zalouser:
    enabled: true
    defaultAccount: default
    accounts:
      default:
        enabled: true
        profile: default
      work:
        enabled: true
        profile: work

Useful commands

openclaw channels login --channel zalouser
openclaw channels login --channel zalouser --account work
openclaw channels status --probe
openclaw channels logout --channel zalouser

openclaw directory self --channel zalouser
openclaw directory peers list --channel zalouser --query "name"
openclaw directory groups list --channel zalouser --query "work"
openclaw directory groups members --channel zalouser --group-id <id>

Agent tool

The extension registers a zalouser tool for AI agents.

Available actions: send, image, link, friends, groups, me, status

Troubleshooting

  • Login not persisted: openclaw channels logout --channel zalouser && openclaw channels login --channel zalouser
  • Probe status: openclaw channels status --probe
  • Name resolution issues (allowlist/groups): use numeric IDs or exact Zalo names

Credits

Built on zca-js.