WhatsApp Contacts
v1.0.0List, search, and lookup WhatsApp contacts from the Baileys session cache
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name/description claim (read contacts from Baileys session cache) matches the included script and SKILL.md. The script looks in a local OpenClaw state path (OPENCLAW_STATE_DIR or ~/.openclaw/credentials/whatsapp/default) for store.json or contacts.json and extracts contacts.
Instruction Scope
SKILL.md instructs the agent to run the bundled Node script with specific commands (list/search/get). The script only reads local files in the stated session directory and prints JSON results; it does not instruct the agent to read arbitrary system files, call external endpoints, or access unrelated environment variables.
Install Mechanism
No install spec or remote downloads; the skill is instruction-only with a single bundled script. Nothing is written to disk by an installer, and no external packages or URLs are fetched at install time.
Credentials
The skill declares no required environment variables or credentials. The script optionally respects OPENCLAW_STATE_DIR to locate the session, which is reasonable. Caution: the script reads the WhatsApp session store (store.json) which can contain sensitive session data; although the code only extracts and prints contact entries, it still requires read access to a credential directory and will load the file into memory.
Persistence & Privilege
The skill does not request always:true, does not modify other skills or system configuration, and only performs read operations. It does not persist new credentials or change agent settings.
Assessment
This skill appears to do what it says: read a local Baileys session cache and list/search contacts. Before installing, consider: (1) the script needs read access to your OpenClaw state directory (default ~/.openclaw/credentials/whatsapp/default) which may contain sensitive WhatsApp session data — only install if you trust the skill and the environment; (2) the code is bundled with the skill (inspect it yourself); it currently only outputs contact info as JSON, but a modified version could exfiltrate data, so avoid giving the agent broad network/file privileges if you don't trust the source; (3) if you prefer narrower scope, run the script locally yourself instead of allowing autonomous agent invocation.Like a lobster shell, security has layers — review code before you run it.
baileyscontactslatestofflinewhatsapp
WhatsApp Contacts Skill
Read and search contacts stored in the local Baileys WhatsApp session.
Usage
exec({ cmd: "node <skill_dir>/scripts/contacts.js COMMAND [ARGS]" })
Commands
List Contacts
exec({ cmd: "node <skill_dir>/scripts/contacts.js list 50" })
Search by Name or Phone
exec({ cmd: "node <skill_dir>/scripts/contacts.js search \"John\"" })
Get Contact Info
exec({ cmd: "node <skill_dir>/scripts/contacts.js get 5511999999999" })
Note
This skill reads contacts from the local Baileys session cache. Only contacts that have previously interacted with the connected account will be available.
Comments
Loading comments...
