ClawHub

WhatsApp Lead Hunter

Security checks across malware telemetry and agentic risk

Overview

This skill openly automates scraping business contacts and sending WhatsApp outreach, but it lacks enough safeguards for live bulk messaging and compliance-sensitive contact handling.

Review carefully before installing. Use only for lawful, permission-based outreach, run dry-runs first, manually approve every recipient list and message, enforce small batch limits, keep suppression and opt-out lists, set retention/deletion rules for lead files and phone-number logs, protect the WAHA key, and keep WAHA bound to localhost or a trusted network.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Lp3

Medium
Category
MCP Least Privilege
Confidence
88% confidence
Finding
The skill instructs use of shell/curl and batch scripts but does not declare permissions or clearly scope those capabilities. Undeclared execution and network-capable tooling reduces transparency and can lead users or platforms to authorize broader actions than expected, especially in a workflow that automates outbound messaging.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill directs collection and storage of third-party business contact data without a clear warning about privacy, consent, retention, or applicable data-protection obligations. This creates legal/compliance risk and can normalize large-scale harvesting of contact information for unsolicited outreach.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill enables automated outbound WhatsApp messaging at scale and includes anti-conflict and batching guidance, but does not prominently warn about spam, platform-policy violations, consent requirements, or account bans. In context, this omission is more dangerous because the skill is specifically optimized for cold outreach and operational scaling.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The script persists contacted phone numbers to an ignore list and automates outbound WhatsApp messaging without any explicit consent, privacy notice, or operator warning about handling personal data. In a lead-generation and cold-outreach skill, this increases compliance and privacy risk because business contact data is being stored and used for unsolicited messaging at scale.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal