Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
OpenClaw WhatsApp
v0.3.0WhatsApp bridge for OpenClaw — send/receive messages, auto-reply agents, QR pairing, message search, contact sync
⭐ 0· 2.1k·17 current·21 all-time
bysam1337@0xs4m1337
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description describe a local WhatsApp bridge and the files/instructions correspond: a Go binary (openclaw-whatsapp) + two shell relay scripts that enqueue messages and call the local openclaw agent CLI. Requiring the openclaw CLI and a local bridge is coherent with the described functionality.
Instruction Scope
SKILL.md instructs writing scripts into /usr/local/bin, creating a systemd user service, and running a remote install script via curl | bash. The included scripts access local APIs (http://localhost:8555) and pass message history into the openclaw agent (expected), but they also reference environment variables (OC_WA_OPENCLAW_PATH, OC_WA_AGENT_DATA_DIR, OC_WA_SYSTEM_PROMPT, OC_WA_WORKER_PATH) that are not declared in the skill metadata. The system_prompt examples show instructing the agent to call other actions (e.g., Google Calendar, Telegram), which could trigger broad side effects depending on your agent configuration — the SKILL.md grants the agent significant discretionary capability via configured prompts.
Install Mechanism
There is no formal install spec in registry metadata; instead SKILL.md tells users to run: curl -fsSL https://raw.githubusercontent.com/0xs4m1337/openclaw-whatsapp/main/install.sh | bash. Downloading and piping a remote script to bash is high-risk even when hosted on GitHub raw (the source is traceable but the installer is arbitrary and executed with the user's privileges). The rest of installation requires copying scripts to /usr/local/bin (sudo) and enabling a systemd service.
Credentials
Declared requirements list no env vars or credentials, but the scripts use several environment variables (OC_WA_OPENCLAW_PATH, OC_WA_AGENT_DATA_DIR, OC_WA_SYSTEM_PROMPT, OC_WA_WORKER_PATH) and expect file-system write access under /usr/local/bin, ~/.openclaw-whatsapp, and ~/.config/systemd/user. No network credentials or external API keys are requested by the skill itself, but the agent/system_prompt can direct the agent to call other integrations, which may require separate credentials not managed by this skill.
Persistence & Privilege
The skill's recommended installation results in persistent components: a systemd user service and executables under /usr/local/bin, plus persisted queue/log files under $HOME or /tmp. always is false (normal). This persistence is expected for a bridge but combined with the remote installer and sudo file writes increases the risk surface; review the installer and service contents before enabling.
What to consider before installing
Before installing, inspect the remote install.sh on GitHub (do not run curl | bash blindly). Verify what that installer writes (binaries, systemd unit, network endpoints) and whether the binary is signed or from a trustworthy source. Note the included scripts will copy files to /usr/local/bin and enable a user systemd service — that requires elevated privileges and creates persistent processes. The relay scripts pass WhatsApp message contents (including recent history) into your local openclaw agent via a generated prompt; if your agent is allowed to perform actions (or has network access), those message contents could be used to trigger external actions. Check and limit the system_prompt, allowlist/blocklist, and any webhooks you configure. If you want to reduce risk: (1) run the installer in a sandbox or review/replicate its steps manually, (2) install binaries to a user-owned directory instead of /usr/local/bin, (3) run the bridge under an unprivileged user account and inspect logs, (4) set OC_WA_* env vars explicitly and limit system_prompt capabilities, and (5) confirm the GitHub repo and author (0xs4m1337) are trustworthy or host your own vetted build.Like a lobster shell, security has layers — review code before you run it.
latestvk97dceb09dr9e07r8axzz1770981jwtk
License
MIT-0
Free to use, modify, and redistribute. No attribution required.