Back to plugin

Security audit

WhatsApp

Security checks across malware telemetry and agentic risk

Overview

The plugin's code, docs, and runtime instructions align: it shells out to the local wacli CLI to list/search/backfill and to send messages, and it does not request unrelated credentials or hidden network endpoints.

This plugin is internally consistent: it runs your local wacli binary to access WhatsApp data and send messages. Before installing, verify you trust the wacli implementation (install from the official source), ensure you've run wacli auth interactively, and keep requireExplicitSendConfirmation enabled so the agent cannot send messages without your explicit confirm=true. Remember that the plugin can only be as safe as the local wacli binary and the data in ~/.wacli—if an attacker can replace that binary or that store, they could abuse these tools.

VirusTotal

No VirusTotal findings

View on VirusTotal

Static analysis

No suspicious patterns detected.