ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

WhatsApp Common Groups

v1.0.0

Find groups shared between contacts and check group membership

0· 621·0 current·0 all-time
byMarcos Santos@marcosrippel

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for marcosrippel/whatsapp-common-groups.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "WhatsApp Common Groups" (marcosrippel/whatsapp-common-groups) from ClawHub.
Skill page: https://clawhub.ai/marcosrippel/whatsapp-common-groups
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Canonical install target

openclaw skills install marcosrippel/whatsapp-common-groups

ClawHub CLI

Package manager switcher

npx clawhub@latest install whatsapp-common-groups
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The script's behavior (scanning a local OpenClaw WhatsApp credentials directory for sender-key files and contacts.json) is consistent with the stated purpose of finding common WhatsApp groups. However, the skill metadata and SKILL.md do not declare that it needs access to local credential/config paths (the code uses OPENCLAW_STATE_DIR or ~/.openclaw/credentials/whatsapp/default). This undeclared requirement is a mismatch and should be disclosed.
!
Instruction Scope
SKILL.md shows only how to exec the Node script and does not mention that the script will read files from the user's local OpenClaw credentials directory. The instructions give the agent implicit permission to run a binary that reads potentially sensitive local files, which is not documented in the runtime instructions.
Install Mechanism
There is no install spec (instruction-only with a bundled script). Nothing is downloaded or written to disk by an installer; risk from installation mechanism is low.
!
Credentials
The code reads process.env.OPENCLAW_STATE_DIR (if set) and otherwise defaults to ~/.openclaw/credentials/whatsapp/default, but the skill declares no required env vars or config paths. Accessing a credentials directory (and potentially contacts.json and sender-key files) is sensitive and should have been declared. The number and sensitivity of files accessed is disproportionate to the lack of declared permissions.
Persistence & Privilege
The skill does not request persistent/always-on presence, does not modify other skill or system configs, and does not install background services. It only reads files and prints JSON to stdout.
What to consider before installing
This skill will run a bundled Node script that directly reads your OpenClaw WhatsApp credential folder (OPENCLAW_STATE_DIR or ~/.openclaw/credentials/whatsapp/default) and parses sender-key files and contacts.json to report group membership. The metadata and SKILL.md do not disclose this file access. Before installing or running it: (1) verify you trust the source or inspect scripts yourself, (2) check the exact path and contents of the credentials folder to understand what data would be read, (3) consider running the script manually in a sandbox or on a copy of the credential files, and (4) ask the maintainer to explicitly declare required config paths and env vars and to explain why those files are needed. Note: the script does not make network calls or upload data itself — it prints results to stdout, but whatever receives the output (agent logs, remote backend) could expose this information, so treat outputs as sensitive.

Like a lobster shell, security has layers — review code before you run it.

baileysvk972py1megzhjwjxkzcbrftg5d81db9gcommonvk972py1megzhjwjxkzcbrftg5d81db9ggroupsvk972py1megzhjwjxkzcbrftg5d81db9glatestvk972py1megzhjwjxkzcbrftg5d81db9gofflinevk972py1megzhjwjxkzcbrftg5d81db9gwhatsappvk972py1megzhjwjxkzcbrftg5d81db9g
621downloads
0stars
1versions
Updated 4h ago
v1.0.0
MIT-0
Marcos Santos@marcosrippel
baileyscommongroupslatestofflinewhatsapp
Download

WhatsApp Common Groups Skill

Discover groups two contacts share, or verify if a number belongs to a specific group.

Usage

exec({ cmd: "node <skill_dir>/scripts/common.js COMMAND [ARGS]" })

Commands

Find Common Groups

exec({ cmd: "node <skill_dir>/scripts/common.js find \"5511999999999\"" })

Check if Number is in Group

exec({ cmd: "node <skill_dir>/scripts/common.js check \"5511999999999\" \"groupId@g.us\"" })

List All Known Members Across Groups

exec({ cmd: "node <skill_dir>/scripts/common.js all-members 50" })

Comments

Loading comments...