ClawHub

farid wa

Security checks across malware telemetry and agentic risk

Overview

This is a coherent WhatsApp Business API helper, but it asks for credentialed business-messaging access while the publisher identity is inconsistent and some high-impact examples are under-scoped.

Review this before installing. Only use it if you trust the publisher and Maton with your WhatsApp Business access, replace all sample IDs with IDs obtained from your own account, and require explicit confirmation before sending messages or deleting connections, media, or templates.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The documentation includes examples for sending WhatsApp messages and deleting connections/media, which are real external side effects that can affect customers or permanently remove resources. Because there is no warning, confirmation guidance, or recommendation to validate recipient IDs and target resources before execution, an agent or user could perform unintended irreversible actions.

Tool Parameter Abuse

High
Category
Tool Misuse
Content
#### Delete Media

```bash
DELETE /whatsapp-business/v21.0/{media_id}
```

### Message Templates
Confidence
90% confidence
Finding
DELETE /whatsapp-business/v21.0/{media_id}

Tool Parameter Abuse

High
Category
Tool Misuse
Content
#### Delete Template

```bash
DELETE /whatsapp-business/v21.0/{whatsapp_business_account_id}/message_templates?name=template_name
```

### Phone Numbers
Confidence
91% confidence
Finding
DELETE /whatsapp-business/v21.0/{whatsapp_business_account_id}/message_templates?name=template_name

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal