Skillv0.1.0

ClawScan security

Whatsapp Context Manager for Agents · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousFeb 15, 2026, 7:38 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The package appears to implement a local WhatsApp context manager and mostly matches its description, but there are several inconsistencies (missing files referenced by its installer, example code that expects external WhatsApp credentials despite none being declared, and a prompt‑injection / unicode control character signal in SKILL.md) that warrant caution before installing or running it in production.
Guidance: What to check before installing or running this skill: - Inspect SKILL.md and README files for hidden characters: open them in an editor that can reveal invisible/unicode control characters and remove any unexpected controls. The static scan flagged such characters in SKILL.md. - Run tests and example code in an isolated environment (sandbox or ephemeral VM/container) — the package creates local SQLite DB files and tests delete them; still run it isolated to avoid risking production data. - Expect to provide WhatsApp Business API credentials and possibly CRM credentials when integrating the system: the examples show a WhatsApp client requiring an api_key, but the skill metadata does not declare any required env vars. Do not paste production API keys into examples until you verify the code path that uses them. - Note missing packaging files: install_check_whatsapp.py expects README_WHATSAPP.md and LICENSE which are not in the bundle; the verification script will likely report these as missing. That is a packaging inconsistency (not necessarily malicious) but may indicate the published bundle is incomplete. - Review whatsapp_context_manager.py for any network calls or external endpoints before supplying secrets. From the provided excerpts it appears local-only (SQLite + text analysis), but you should grep for socket/requests/urllib/http usage or hardcoded endpoints to confirm. - If you will use this in production, request provenance: contact the publisher or obtain a release from a known repository (the README references a GitHub repo). Confirm the author, license, and release integrity (checksums/signatures). If you are not comfortable with these inconsistencies or the unicode-control-chars signal, do not install it on a machine with sensitive data or credentials.
Findings: [unicode-control-chars] unexpected: Unicode control characters detected inside SKILL.md. These are not expected for a normal README/instruction file and can be used to hide or manipulate visible instructions (prompt-injection style). This finding should be treated as suspicious and the SKILL.md file reviewed in a text editor that can show invisible characters before trusting it.

Review Dimensions

Purpose & Capability: noteThe code implements local sentiment, categorization, priority, order storage and response suggestion features that align with the stated purpose. However, examples and README show integration with a WhatsApp Business client requiring an API key (wa_client = WhatsAppClient(api_key="your_key")) even though the skill's metadata declares no required credentials or env vars and claims no external dependencies. That discrepancy (examples needing external API credentials but none declared) is an inconsistency the user should be aware of.
Instruction Scope: concernSKILL.md instructs creating local DBs and running local modules (which is within scope) but also contains integration examples that would send/receive messages via a WhatsApp client and sync to CRMs — i.e., it expects you to wire it into external systems. SKILL.md also contains a pre-scan injection signal (unicode-control-chars) which could indicate hidden characters embedded in the instructions (prompt–injection-like content). The instructions do not direct reading unrelated system paths or exfiltration explicitly, but the hidden/unicode control characters in SKILL.md are a red flag for content manipulation and should be inspected.
Install Mechanism: noteThere is no formal install spec (instruction-only in registry), and the project claims 'no external dependencies' and pure standard library usage. The included files appear self-contained and use SQLite. However, install_check_whatsapp.py expects files (README_WHATSAPP.md and LICENSE) that are not present in the manifest, so a local verification step is likely to fail unless those files are added. No download-from-URL or external package installation is present in the provided manifest, which reduces supply-chain risk, but the missing-file mismatch is an installation/packaging inconsistency.
Credentials: noteThe skill declares no required environment variables or primary credential, which matches the claim of local operation. But the example integration with WhatsAppBusiness (wa_client = WhatsAppClient(api_key="your_key")) and CRM sync suggests real deployments will require API keys and credentials. The skill does not request or document those credentials in metadata; this omission is a mismatch (not necessarily malicious) that could cause accidental credential usage or ad-hoc passing of secrets by integrators.
Persistence & Privilege: okThe code stores data locally in SQLite databases and creates files such as production.db/exampleX.db — this is consistent with the skill's purpose and the README's 'local storage' claims. The skill is not marked 'always: true' and does not appear to modify other skills or system-wide settings. Creating local DB files is expected behavior for this functionality.