What's app
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If used carelessly, the agent could send a real message or file to the wrong WhatsApp contact or group.
The skill can invoke a tool that sends WhatsApp messages, but it also explicitly requires recipient/message confirmation before sending.
Safety - Require explicit recipient + message text. - Confirm recipient + message before sending.
Only allow sends after reviewing the exact recipient, message text, and any attachment path.
The CLI may act as the authenticated WhatsApp user, including sending messages and accessing synced chats.
QR login delegates access to the user's WhatsApp account, which is expected for the skill but is sensitive account authority.
`wacli auth` (QR login + initial sync)
Authenticate only if you trust the wacli installation, and revoke or remove the local session if you no longer need the skill.
Private WhatsApp history may be stored and later searched locally by the agent when you request it.
The skill can continuously sync WhatsApp history into a persistent local store, which may contain private chat content.
`wacli sync --follow` (continuous sync) ... Store dir: `~/.wacli` (override with `--store`).
Use the narrowest practical chat/date scope, consider a dedicated `--store` location, and clean up stored history when no longer needed.
The reviewed skill file is small, but the actual behavior depends on the external wacli binary you install.
The skill relies on an external CLI installed from upstream sources, with the Go install using the moving @latest version.
brew formula: steipete/tap/wacli ... go module: github.com/steipete/wacli/cmd/wacli@latest
Install wacli only from a trusted source, prefer a pinned/versioned install when possible, and review the upstream project before authenticating WhatsApp.