ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

WhatsApp Contacts

v1.0.0

List, search, and lookup WhatsApp contacts from the Baileys session cache

0· 582·0 current·0 all-time
byMarcos Santos@marcosrippel
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description claim (read contacts from Baileys session cache) matches the included script and SKILL.md. The script looks in a local OpenClaw state path (OPENCLAW_STATE_DIR or ~/.openclaw/credentials/whatsapp/default) for store.json or contacts.json and extracts contacts.
Instruction Scope
SKILL.md instructs the agent to run the bundled Node script with specific commands (list/search/get). The script only reads local files in the stated session directory and prints JSON results; it does not instruct the agent to read arbitrary system files, call external endpoints, or access unrelated environment variables.
Install Mechanism
No install spec or remote downloads; the skill is instruction-only with a single bundled script. Nothing is written to disk by an installer, and no external packages or URLs are fetched at install time.
Credentials
The skill declares no required environment variables or credentials. The script optionally respects OPENCLAW_STATE_DIR to locate the session, which is reasonable. Caution: the script reads the WhatsApp session store (store.json) which can contain sensitive session data; although the code only extracts and prints contact entries, it still requires read access to a credential directory and will load the file into memory.
Persistence & Privilege
The skill does not request always:true, does not modify other skills or system configuration, and only performs read operations. It does not persist new credentials or change agent settings.
Assessment
This skill appears to do what it says: read a local Baileys session cache and list/search contacts. Before installing, consider: (1) the script needs read access to your OpenClaw state directory (default ~/.openclaw/credentials/whatsapp/default) which may contain sensitive WhatsApp session data — only install if you trust the skill and the environment; (2) the code is bundled with the skill (inspect it yourself); it currently only outputs contact info as JSON, but a modified version could exfiltrate data, so avoid giving the agent broad network/file privileges if you don't trust the source; (3) if you prefer narrower scope, run the script locally yourself instead of allowing autonomous agent invocation.

Like a lobster shell, security has layers — review code before you run it.

baileysvk97arxmvtyf5f4ww5qmwzmgcrd81f3avcontactsvk97arxmvtyf5f4ww5qmwzmgcrd81f3avlatestvk97arxmvtyf5f4ww5qmwzmgcrd81f3avofflinevk97arxmvtyf5f4ww5qmwzmgcrd81f3avwhatsappvk97arxmvtyf5f4ww5qmwzmgcrd81f3av
582downloads
0stars
1versions
Updated 8h ago
v1.0.0
MIT-0
Marcos Santos@marcosrippel
baileyscontactslatestofflinewhatsapp
Download

WhatsApp Contacts Skill

Read and search contacts stored in the local Baileys WhatsApp session.

Usage

exec({ cmd: "node <skill_dir>/scripts/contacts.js COMMAND [ARGS]" })

Commands

List Contacts

exec({ cmd: "node <skill_dir>/scripts/contacts.js list 50" })

Search by Name or Phone

exec({ cmd: "node <skill_dir>/scripts/contacts.js search \"John\"" })

Get Contact Info

exec({ cmd: "node <skill_dir>/scripts/contacts.js get 5511999999999" })

Note

This skill reads contacts from the local Baileys session cache. Only contacts that have previously interacted with the connected account will be available.

Comments

Loading comments...