Skillv0.1.0

ClawScan security

Wacrawl · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 28, 2026, 5:54 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's stated purpose (local, read-only WhatsApp chat snapshots) matches its instructions, but it requires installing a third-party Homebrew formula and asks users to grant macOS Full Disk Access — both of which increase risk and deserve review before installation.
Guidance: What to consider before installing: 1) Review the upstream project (https://github.com/steipete/wacrawl) and the Homebrew tap formula to confirm sources, checksums, and build steps; prefer building from source or an official release artifact you inspected. 2) Understand macOS Full Disk Access: granting it to a terminal or wrapper app gives that process broad read access to many user files — only grant it if you fully trust the installed binary. 3) Inspect network activity after running the tool (e.g., via Little Snitch or packet capture) to detect unexpected telemetry. 4) Keep automatic scheduled imports disabled until you trust the binary; prefer manual imports. 5) Verify what gets written to ~/.wacrawl and secure or remove that archive if it contains sensitive data. If you cannot review the binary or source, treat the install as untrusted and avoid granting Full Disk Access or enabling autonomous/scheduled runs.

Review Dimensions

Purpose & Capability: okName, description, and runtime instructions consistently describe a local, read-only snapshot/import of WhatsApp Desktop SQLite DBs into ~/.wacrawl/wacrawl.db and scriptable local search. Binaries required (wacrawl) match the stated functionality.
Instruction Scope: noteSKILL.md limits behavior to local snapshot/import and search; it explicitly says it does not write back to WhatsApp or contact WhatsApp services. It requires Full Disk Access for the terminal to read the sandboxed group container and suggests scheduling periodic imports. SKILL.md does not mention network telemetry or external endpoints — absence of such statements is not a proof of absence in the installed binary.
Install Mechanism: concernInstall is a Homebrew formula from the tap steipete/tap (not Homebrew core). Installing a third-party formula will put an unfamiliar binary on disk; formula/build steps could execute code at install time. Without packaging/source verification or shippped code in the skill, the binary is a high-impact trust decision.
Credentials: noteNo environment variables or credentials are requested, which is appropriate. However the skill requires the user to grant macOS Full Disk Access to the terminal that runs wacrawl — a powerful OS-level permission that grants broad file read access beyond WhatsApp data and therefore materially increases the risk if the binary is untrusted.
Persistence & Privilege: noteThe skill is not force-enabled (always:false). Model invocation is allowed (default). Because SKILL.md recommends periodic imports (scheduling), an autonomously-invokable agent combined with the installed binary and Full Disk Access could lead to periodic reads of local private data; this is a capability to consider before enabling autonomous runs.