Back to skill

Security audit

OpenClaw WhatsApp

Security checks across malware telemetry and agentic risk

Overview

This skill is a real WhatsApp bridge, but it asks users to install and run a persistent auto-reply agent with broad access to private messages and account-level sending authority, with weak install and privacy controls.

Install only if you are comfortable linking a WhatsApp account to a persistent local bridge that can read chats and contacts and send messages automatically. Review the remote installer before running it, prefer a pinned or verified release, start with auto-reply disabled or tightly allowlisted, protect the local data directory and logs, avoid untrusted webhooks, and know how to stop the service and unlink the WhatsApp device.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (7)

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The example system prompt instructs the WhatsApp agent to perform unrelated external actions such as calendar creation and Telegram messaging. This expands the skill from a messaging bridge into a general action-triggering workflow, creating cross-system command execution risk if message content can induce those actions.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The script executes a worker path taken directly from the OC_WA_WORKER_PATH environment variable and only checks that the target is executable. If an attacker can influence the environment of this script, they can cause arbitrary code execution under the script's privileges by pointing it to a malicious binary or script. In an agent/bridge context that processes untrusted messages, environment-controlled execution paths materially increase risk.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill enables automatic AI replies, message history search, and contact syncing, all of which involve handling sensitive communications and personal data. The documentation does not provide a clear privacy warning, consent guidance, retention notice, or data-minimization instructions, which increases the risk of exposing private user content to the agent or logs.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The setup instructions tell users to execute a remote script directly from GitHub using curl piped into bash, without pinning, signature verification, checksum validation, or review guidance. This creates an immediate code-execution path where compromise of the repository, account, network path, or referenced branch can lead to arbitrary command execution on the user's machine.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The worker forwards raw WhatsApp message content, contact identifiers, and recent chat history into an external `openclaw agent` process with no minimization, consent check, or clear boundary on how that agent may use or retain the data. In this skill's context, that is a real privacy and data-exposure risk because the whole purpose is to process private messages automatically, and the prompt explicitly includes sensitive conversational context beyond the minimum needed for a reply.

Ssd 3

Medium
Confidence
91% confidence
Finding
The documented architecture states that the worker fetches the last 10 messages for context and passes message content into the agent. This creates a straightforward data exposure path for potentially sensitive chat history, especially in private conversations, without documented minimization, redaction, or consent controls.

Ssd 3

Medium
Confidence
95% confidence
Finding
The script embeds untrusted user-controlled fields (`name`, `jid`, `message`, `system_prompt`, and fetched history) verbatim into a natural-language prompt, then appends the agent's JSON output to `worker.log`. That creates both a prompt-injection pathway and a privacy leak path, since sensitive conversation data is exposed to the agent and may be reproduced in logs or agent output beyond the immediate send-reply action.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.