Community code plugin. Review compatibility and verification before install.
Latest release: v2.9.2Download zip
Capabilities
Compatibility
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The moderation/dashboard purpose is coherent, but the implementation also includes payment/licensing, shell-executed upgrade flow, automatic OpenClaw config migration, and auto-patching of the zalouser runtime, which are broader than the README framing.
Instruction Scope
The plugin is not enabled by default, but it activates on startup/hooks, intercepts Zalo traffic, runs a local dashboard action API, and supports live group/member actions with uneven confirmation coverage.
Install Mechanism
The package is a community legacy zip with source metadata but no provenance, and the main index.js is heavily obfuscated, making its install-time and runtime behavior hard for users to verify.
Credentials
It reads OpenClaw session/config areas, uses ZCA APIs, starts a local HTTP dashboard, caches friend/profile details in browser storage, and sends device/license information to a remote service.
Persistence & Privilege
It persistently writes ownerId/config/settings/audit/memory files, can grant owner control from an 'im admin' style DM flow, modifies openclaw.json, chmods plugin files, and patches installed zalouser JavaScript.
Scan Findings in Context
[SDI-2] unexpected: The broad control-plane behavior was artifact-backed: index.js imports child_process exec, starts a dashboard server, rewrites OpenClaw configuration, scans sessions, uses ZCA admin APIs, and performs license/payment networking.
[SDI-4] unexpected: Scanner concerns about documentation mismatch are supported in part: README emphasizes moderation/admin features, while obfuscated code adds licensing, payment/order handling, config migration, chmod, shell flow execution, and runtime patching.
[SQP-2] unexpected: The owner setup flow is documented but under-scoped: a natural-language DM claim can persist ownerId, which is a privileged configuration change without clear identity verification guidance.
[SQP-2] unexpected: The dashboard silently calls get-friends on first load and stores names, avatars, birthdays, and phone numbers in localStorage; this is useful for the dashboard but privacy-sensitive and under-disclosed.
[SQP-2] unexpected: License activation sends a generated device ID plus hostname/platform/node details to a remote license endpoint; licensing is visible in the UI, but this device fingerprinting is not clearly disclosed in the README.
[SQP-2] unexpected: File mutation concerns are supported: the code rewrites openclaw.json, writes plugin data/config files, chmods files, and auto-patches zalouser code to expose an API map.
[E1] expected: The VietQR external image appears to be a donation/payment QR display, not evidence of secret data exfiltration by itself.
[EA3] expected: The LICENSE finding points to standard MIT warranty language and is not a meaningful security concern.
[SQP-3] expected: Vietnamese defaults and light theme are low-impact locale/UI choices for a Vietnam-specific Zalo plugin and did not drive the verdict.
What to consider before installing
Review this carefully before installing. Use it only in a Zalo/OpenClaw environment where the operator is trusted to control groups, approve/remove members, send messages, and handle contact data. Be aware it can persist owner privileges, edit OpenClaw config, patch another plugin, cache profile data in browser localStorage, and contact a third-party license server with device information.index.js:1
Potential obfuscated payload detected.
About static analysis
These patterns were detected by automated regex scanning. They may be normal for skills that integrate with external APIs. Check the VirusTotal and OpenClaw results above for context-aware analysis.Verification
Tags
🛡️ openclaw-zalo-mod — Zero-Token Zalo Group Moderation
OpenClaw runtime plugin dành cho quản trị nhóm Zalo. Xử lý kiểm duyệt, slash commands, anti-spam với 0 token LLM. Chỉ có tin nhắn
@mentionmới được chuyển lên AI agent.
✨ Tính năng
| Tính năng | Token | Mô tả |
|---|---|---|
| Zalo Owner Dashboard | 0 | Stunning graphical UI Dashboard (Premium Glassmorphism), manage groups, approve pending members, and compose direct messages via real ZCA API! |
| Slash Commands | 0 | /noi-quy, /menu, /huong-dan, /groupid, /ownerid, /report, /rules |
| Warn System | 0 | /warn @name [reason] — member violation tracker |
| Anti-Spam | 0 | Detect repeated messages, suspicious links, emoji floods |
| Admin Notes | 0 | /note [text] — quick admin annotations |
| Memory Sync | 0 | /memory — saves context digest in skills/memory/ |
| Smart Q&A | 0 | Native retrieval: "who is warned?", "spam log?" via local data |
| ZCA Admin Sync | 0 | Synchronizes creatorId & adminIds from Zalo API |
| Owner DM | 0 | Administrative command control panel over private DM |
🖥️ Zalo Owner Dashboard (UI)
The plugin features a built-in administrative graphical user interface Zalo Owner Dashboard crafted under Premium Glassmorphism & High-Density Studio v1.5 design guidelines.
- Access URL:
http://127.0.0.1:19790(default) or your server IP on port19790. - Configuration inside
openclaw.json:"dashboardEnabled": true, "dashboardHost": "127.0.0.1", "dashboardPort": 19790
Key Modules:
- 📊 Operations Overview: Live monitoring of group statistics, pending member requests, and operational audit logs.
- 👥 Group Management: Configure Silent Mode, Welcome messages, view invite links, and track group administrators.
- ⏳ Member Approvals: Quickly accept pending group membership requests and watch flagged members.
- ✍️ Message Composer: Write and dispatch raw text or image announcements directly to chosen groups with immediate preview.
- 🔌 API Directory: Inspect fully documented ZCA JavaScript APIs with real integration examples.
🏗️ Kiến trúc
Tin nhắn Zalo đến
│
├─ /slash command → Plugin xử lý local (0 token)
├─ Spam phát hiện → Log + block im lặng (0 token)
├─ Sticker/media → Chuyển thành [Sticker] (0 token)
├─ "Ai bị warn?" → Plugin trả lời từ store (0 token)
│
└─ @BotName câu hỏi → Chuyển lên LLM agent (dùng token)
📦 Cài đặt
1. Docker (khuyến nghị — dùng với openclaw-setup)
# Chạy bên trong container
docker exec openclaw-bot openclaw plugins install clawhub:openclaw-zalo-mod --force
docker restart openclaw-bot
2. Native (không Docker)
openclaw plugins install openclaw-zalo-mod
openclaw gateway restart
3. Cài thủ công từ source
# Copy source vào thư mục extensions
xcopy /E /I openclaw-zalo-mod "%OPENCLAW_HOME%\extensions\zalo-mod"
# Hoặc trên Linux
cp -r openclaw-zalo-mod ~/.openclaw/extensions/zalo-mod
# Restart gateway
openclaw gateway restart
4. Patch nhanh khi phát triển (Docker)
# Copy file đã sửa vào container
Copy-Item -Path "D:\openclaw-zalo-mod\index.js" -Destination "E:\final\.openclaw\extensions\zalo-mod\index.js" -Force
# Fix quyền (Windows bind mount tạo quyền 777)
docker exec openclaw-bot chmod 644 /root/project/.openclaw/extensions/zalo-mod/index.js
# Restart
docker restart openclaw-bot
⚠️ Lưu ý quyền file: Windows bind mounts tạo file với quyền
0777. OpenClaw sẽ từ chối load plugin có quyền world-writable. Luôn chạychmod 644sau khi copy.
⚙️ Cấu hình ban đầu
Bước 1: Xác nhận bot đã load plugin
Kiểm tra log sau khi restart:
[gateway] http server listening (5 plugins: browser, memory-core, openclaw-n8n-facebook-poster, zalo-mod, zalouser; ...)
Plugin phải xuất hiện trong danh sách. Nếu thiếu, kiểm tra quyền file.
Bước 2: Nhận quyền Owner
Gửi tin nhắn DM riêng cho bot:
i'm admin
Bot sẽ tự động ghi ownerId vào config và xác nhận.
Bước 3: Đăng ký Group
Vào group cần quản lý, gửi lệnh:
/bot-rules groupid
Bot sẽ quét session, lấy creatorId + adminIds từ Zalo API, rồi tự ghi vào config.
📋 Danh sách lệnh đầy đủ
👤 Mọi người (trong group)
| Lệnh | Mô tả |
|---|---|
/{botname}-noi-quy | Xem nội quy nhóm |
/{botname}-menu | Danh sách lệnh |
/{botname}-huong-dan | Hướng dẫn sử dụng bot |
/{botname}-report | Báo cáo vi phạm |
🔧 Admin (trong group)
| Lệnh | Mô tả |
|---|---|
/{botname}-mute | Tắt bot hoàn toàn |
/{botname}-unmute | Bật lại bot |
/{botname}-warn @name [lý do] | Cảnh cáo member |
/{botname}-note [text] | Ghi chú admin |
/{botname}-memory [note] | Lưu memory digest |
👑 Owner — trong group
| Lệnh | Mô tả |
|---|---|
/bot-rules | Xem panel sub-lệnh |
/bot-rules status | Cấu hình group hiện tại |
/bot-rules groupid | Thêm group + lấy adminIds/creatorId từ ZCA |
/bot-rules silent-on/off | Bật/tắt silent mode |
/bot-rules welcome-on/off | Bật/tắt chào member mới |
/bot-rules tracking-on/off | Bật/tắt ghi lịch sử |
🔐 Owner — qua DM riêng
| Lệnh | Mô tả |
|---|---|
/bot-rules mute <groupId> on/off | Mute/unmute group cụ thể |
/bot-rules mute all on/off | Mute/unmute tất cả |
/bot-rules silent <groupId> on/off | Silent group cụ thể |
/bot-rules welcome <groupId> on/off | Welcome group cụ thể |
/bot-rules tracking <groupId> on/off | Tracking group cụ thể |
/bot-rules dm-add <userId> | Thêm vào DM whitelist |
/bot-rules groupid-list | Danh sách tất cả groups |
/bot-ownerid | Xem owner ID hiện tại |
🛑 Anti-Spam
| Loại | Phát hiện |
|---|---|
| Repeat Spam | Cùng tin nhắn gửi N lần trong khoảng thời gian |
| Link Spam | URL rút gọn hoặc link affiliate đáng ngờ |
| Emoji Flood | 5+ emoji liên tiếp |
Cấu hình trong openclaw.json:
"spamRepeatN": 3,
"spamWindowSeconds": 300
🔧 Yêu cầu
- OpenClaw
>= 2026.3.24 - Channel
zalouserđã được cấu hình và xác thực - Node.js
>= 20
📄 License
MIT — see LICENSE