Security audit
Security checks across malware telemetry and agentic risk
Overview
The plugin's code, docs, and runtime instructions align: it shells out to the local wacli CLI to list/search/backfill and to send messages, and it does not request unrelated credentials or hidden network endpoints.
This plugin is internally consistent: it runs your local wacli binary to access WhatsApp data and send messages. Before installing, verify you trust the wacli implementation (install from the official source), ensure you've run wacli auth interactively, and keep requireExplicitSendConfirmation enabled so the agent cannot send messages without your explicit confirm=true. Remember that the plugin can only be as safe as the local wacli binary and the data in ~/.wacli—if an attacker can replace that binary or that store, they could abuse these tools.
VirusTotal
No VirusTotal findings
Static analysis
No suspicious patterns detected.
