Security audit

Cashclaw Whatsapp Manager

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed WhatsApp Business workflow/template helper, with no artifact-backed evidence of hidden access, exfiltration, destructive behavior, or unsafe persistence.

Before installing, review the npm package and test the auto-response triggers with real conversation examples. Narrow broad triggers like 'where,' 'help,' and '1' or require menu state so customers do not receive the wrong canned response.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (4)

Vague Triggers

Medium

Confidence: 94% confidence
Finding: The pricing auto-response includes broad trigger terms such as "how much" and especially generic pricing-related words that may appear in ordinary conversation, causing the bot to fire in contexts where the user is not actually requesting pricing details. In a WhatsApp business workflow, unintended activations can confuse customers, derail conversations, and expose canned pricing or sales messaging at the wrong time.

Vague Triggers

Medium

Confidence: 96% confidence
Finding: The location auto-response uses very broad words like "where" that commonly occur in unrelated questions, so the system may incorrectly return address details or navigation content when the user meant something else. In customer support chat, this can degrade reliability and create misleading or noisy responses that reduce trust and conversion.

Vague Triggers

Medium

Confidence: 95% confidence
Finding: The support auto-response includes highly generic triggers like "help," "issue," and "problem," which are likely to appear in many normal conversations and can cause the support flow to activate too aggressively. This may collect unnecessary customer data, interrupt sales conversations, and create automation loops or misrouting in high-volume WhatsApp usage.

Vague Triggers

High

Confidence: 99% confidence
Finding: A single numeric trigger of "1" is extremely ambiguous because it can appear in phone numbers, dates, lists, menu replies, pricing, or casual text, making accidental activation very likely. In a WhatsApp automation context, this can repeatedly send the wrong canned response, disrupt multi-step flows, and create significant customer confusion at scale.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal