Back to skill

Security audit

WhatsApp Outreach Platform — AI Leads, Bulk Messaging, Reviews & CRM Pipeline

Security checks across malware telemetry and agentic risk

Overview

This is a documentation-only WhatsApp automation skill, but it enables broad live messaging, contact extraction, monitoring, exports, scheduled actions, and admin operations that users should review carefully before use.

Install only if you trust MoltFlow with live WhatsApp business data and intend to use outreach automation. Use a dedicated least-privilege key, enable approval mode and phone whitelisting, preview recipients and message text before bulk or scheduled sends, avoid importing/exporting group members without consent, and regularly audit schedules, webhooks, A2A endpoints, API keys, AI profiles, document indexes, and review collectors.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (20)

Intent-Code Divergence

Medium
Confidence
89% confidence
Finding
The documentation presents the onboarding/account-scan capability as read-only and non-modifying, while the same skill broadly exposes write-capable operations such as message sending, scheduling, lead updates, review collection, and erasure. Even if the specific onboarding module is read-only, this framing can mislead users or downstream agents into granting trust to the overall skill package and underestimate the risk of invoking state-changing tools.

Intent-Code Divergence

High
Confidence
97% confidence
Finding
The file claims messages are only sent with explicit user confirmation, but the documented features include scheduled recurring messages, webhook-triggered sends, auto-replies, and other automatic outbound workflows. This contradiction is security-relevant because users and agents may rely on the safer claim while enabling capabilities that can message third parties without per-message confirmation, leading to spam, privacy incidents, or unauthorized outreach.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The API key creation example recommends scopes such as messages:send, custom-groups:manage, and bulk-send:manage, which exceed this skill's stated admin purpose. In an agent setting, examples often become copied defaults, so this can normalize overprivileged key creation and expand blast radius if the key is misused or leaked.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The skill explicitly claims to be read-only, but its documented required scopes include `messages: send`, which is write-capable and broader than necessary for the described behavior. Over-privileged credentials increase blast radius if the skill is misused, compromised, or later changed, and they undermine the user's ability to safely grant least-privilege access.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The marketing examples encourage bulk messaging, group monitoring, lead mining, and AI analysis of conversations without prominent warnings about consent, third-party privacy, platform policy compliance, or the sensitivity of group data. In this context, omission of those warnings increases the risk that users deploy surveillance or outreach workflows affecting people who have not consented.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The skill exposes externally impactful actions such as sending WhatsApp messages, creating groups, inviting participants, and managing webhooks, but the introductory description does not prominently warn that these are state-changing operations affecting third parties. In an agent setting, that omission increases the risk of unintended outbound messaging, group changes, or webhook reconfiguration being triggered without sufficient user awareness or confirmation.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill encourages transcription, document ingestion, and style learning from WhatsApp conversations that may contain highly sensitive data such as health, legal, or customer information, but it provides no privacy notice, retention guidance, consent expectations, or data-handling cautions. In this context, that omission can lead users to process regulated or confidential content without understanding the privacy and compliance implications.

Missing User Warnings

Low
Confidence
75% confidence
Finding
The documented document-deletion endpoint is destructive, yet the skill does not warn that deletion may be permanent or affect downstream AI reply quality and traceability. While this is not a code-execution issue, lack of caution increases the chance of accidental data loss and operational disruption.

Missing User Warnings

Low
Confidence
76% confidence
Finding
The style profile deletion endpoint is presented without noting that trained profile data and learned behavior may be lost permanently. Users may accidentally remove profiles that affect automated reply consistency, causing avoidable service degradation and loss of training effort.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The manifest description contains very broad trigger phrases such as 'leads', 'qualify', 'convert', and 'export leads', which can match many ordinary user requests unrelated to this specific WhatsApp automation skill. Over-broad routing increases the chance the agent invokes a high-risk messaging/lead-management capability in the wrong context, potentially exposing contact data or enabling unintended outreach actions.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The trigger phrases are broad enough to match common requests like 'help me get started' or 'optimize my setup,' which can cause the skill to activate in contexts the user did not specifically intend. In a skill that accesses account metadata, chats, groups, and lead data, accidental invocation can expose more business-sensitive information than necessary and expand data access beyond user expectations.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
This skill promotes bulk outreach, deduped lead extraction from WhatsApp groups, exports, and scheduled messaging with 'ban-safe' throttling but does not present an upfront warning about consent, privacy, anti-spam obligations, or recipient impact. In this context, the capability is inherently high-risk because it can be used for spam, unauthorized contact harvesting, and privacy-invasive mass messaging at scale.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The authentication section demonstrates direct use of bearer tokens and API keys but does not warn users against exposing secrets in prompts, logs, scripts, screenshots, or shared files. In agent and CLI workflows, this omission materially increases the chance of credential leakage, which could allow unauthorized access to contact lists, bulk messaging, exports, and account operations.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The export examples enable downloading group members as CSV/JSON without warning that these files contain personal contact data that may be sensitive and regulated. In a skill focused on lead extraction and bulk outreach, silent export guidance increases the risk of unnecessary retention, insecure local storage, and secondary sharing of recipient data.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill instructs users to scan WhatsApp conversations, extract reviews, and export testimonials containing message text and contact identifiers, but provides no privacy, consent, retention, or lawful-basis guidance. In this context, omission is security-relevant because it normalizes collection and republishing of potentially personal data from private communications without safeguards, increasing the likelihood of unauthorized processing and disclosure.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill explicitly supports monitoring WhatsApp groups and retrieving captured group messages, including sender phone numbers, names, message previews, and AI analysis, but it does not present any privacy or consent warning where those capabilities are described. In a messaging-surveillance context, that omission increases the chance that users deploy monitoring on third-party conversations without understanding legal, policy, or data-protection implications.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The webhook section explains transport security and signature verification, but it does not clearly warn that inbound messages, session identifiers, chat identifiers, and related event data will be forwarded to external systems. Because this skill handles sensitive communications data, users may unknowingly exfiltrate personal or business information to third-party endpoints they configure or to downstream systems with weaker controls.

Autonomous Decision Making

Medium
Category
Excessive Agency
Content
**"Collect customer reviews after every reservation and export the best ones"**

Sentiment-scored review collection, auto-approve positives, export as HTML for your website.

**"Send a weekly campaign performance report to my team's WhatsApp group every Monday"**
Confidence
87% confidence
Finding
auto-approve

Autonomous Decision Making

Medium
Category
Excessive Agency
Content
| Style Clone | Matches your writing tone |
| RAG | PDF/TXT, semantic search |
| Voice | Whisper transcription |
| Reviews | Sentiment, auto-approve |
| Anti-Spam | Rate limits, typing sim |
| Safeguards | Block PII, injections |
| Webhooks | HMAC signed, 10+ events |
Confidence
80% confidence
Finding
auto-approve

Autonomous Decision Making

Medium
Category
Excessive Agency
Content
## Real-World Scenarios

**Restaurant owner** — "After every dinner reservation, collect feedback from WhatsApp chats and auto-approve anything with a sentiment score above 0.8."

**Airbnb host** — "Scan my guest conversations for praise keywords like 'amazing', 'clean', and 'recommend', then export the best ones as HTML for my listing page."
Confidence
90% confidence
Finding
auto-approve

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.