Back to skill
Skillv0.1.0
ClawScan security
Whatsapp Auto Reply · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
ReviewMar 14, 2026, 11:12 AM
- Verdict
- Review
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's description and SKILL.md claim it only generates reply suggestions, but included files (README, manifest, skill.py) implement sending messages via an external WhatsApp API and expect an API key — the package metadata does not declare this credential or external-network behavior.
- Guidance
- Do not install or enable this skill until the developer clarifies and fixes the inconsistencies. Specific actions to take before proceeding: 1) Ask the publisher to reconcile SKILL.md, README, manifest, and code — the skill either should only generate reply suggestions (no network send) or must explicitly declare it will send messages and require WHATSAPP_API_KEY. 2) Verify the external endpoint (https://api.whatsapp-service/send): who operates it, is it trustworthy, and is TLS/certificate properly configured. 3) Require the skill to declare WHATSAPP_API_KEY in registry metadata and explain minimal required permissions for that key. 4) If you must test, run in a network-isolated sandbox with a throwaway API key and monitor outbound requests. 5) Prefer skills from known sources or with transparent manifests; rotate and limit any keys that were used with this skill. If the developer cannot justify the external send behavior and missing credential declaration, treat the skill as untrusted.
Review Dimensions
- Purpose & Capability
- concernSKILL.md and the public description say the skill only generates reply suggestions and 'does NOT access WhatsApp directly', but README.md, manifest.json, and skill.py implement an autonomous send workflow that accepts phone_number and posts to an external API. The declared registry requirements list no env vars/credentials, which contradicts the code that reads WHATSAPP_API_KEY.
- Instruction Scope
- concernRuntime instructions in SKILL.md do not mention calling any external API, requiring phone numbers, or needing an API key. The actual code sends the provided message and phone number to https://api.whatsapp-service/send, which is outside the stated scope and is not disclosed in the SKILL.md.
- Install Mechanism
- noteNo install spec is provided (instruction-only), but a requirements.txt lists 'requests' and 'python-dotenv' and skill.py performs network requests. Lack of an install spec means dependencies may be unmet or silently installed by the platform; the code contacts an external, non-obvious domain (api.whatsapp-service) rather than a well-known provider.
- Credentials
- concernmanifest/registry claim no required env variables, yet skill.py reads WHATSAPP_API_KEY from the environment. That credential would allow the skill to send messages on behalf of an account — a high-privilege secret that should have been declared and justified.
- Persistence & Privilege
- notealways is false and nothing requests persistent system modifications. However, the skill can be invoked autonomously (platform default); combined with the undisclosed API key requirement and network send behavior, autonomous invocation increases risk if the key is supplied.