Back to plugin

Security audit

Whassist

Security checks across malware telemetry and agentic risk

Overview

Whassist is a coherent WhatsApp assistant plugin, but installing it means OpenClaw can access sensitive Whassist conversation data when you use its tools.

Install only if you want OpenClaw to use your Whassist/WhatsApp account. Be careful with generic requests about contacts or follow-ups, and only approve sending after verifying the exact recipient and message text.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (1)

Vague Triggers

Medium
Confidence
84% confidence
Finding
The invocation guidance is broad enough to trigger on general conversation-analysis requests such as summaries, follow-ups, unanswered messages, and relationship context, which may exceed a narrowly user-intended WhatsApp-specific scope. In a messaging skill with access to private communications, overbroad activation increases the chance of unnecessary tool use and unintended exposure of sensitive chat data.

VirusTotal

62/62 vendors flagged this plugin as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.