ClawHub

WhatsApp 428 修复

ReviewAudited by ClawScan on May 10, 2026.

Overview

This skill is related to fixing WhatsApp proxy issues, but its repair script makes broad persistent changes to the local OpenClaw installation and gateway service.

Install or run this only if you are comfortable with it modifying your local OpenClaw installation and user systemd service. Back up the affected files first, verify the proxy address and port, and consider using an official OpenClaw fix instead of runtime patching.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Medium
#ASI02: Tool Misuse and Exploitation
What this means

Running the script could change or break the local OpenClaw gateway behavior for more than just the current WhatsApp issue.

Why it was flagged

The script directly patches installed OpenClaw distribution files and restarts the gateway. This is a high-impact local mutation and is not limited to a reversible, scoped configuration change.

Skill content
AUTH_PROFILES=$(find "$OPENCLAW_DIR/dist" -name "auth-profiles-*.js" ...)
cp "$AUTH_PROFILES" "$AUTH_PROFILES.bak"
sed -i ... "$AUTH_PROFILES"
...
openclaw gateway restart
Recommendation

Review the script before running it, back up the OpenClaw installation, and prefer an official OpenClaw update or documented configuration option if available.

Medium
#ASI04: Agentic Supply Chain Vulnerabilities
What this means

The local OpenClaw installation may be modified by downloading dependency code from npm during the repair.

Why it was flagged

The repair script installs an unpinned npm package at runtime into the OpenClaw package directory, which introduces external supply-chain risk not represented by an install spec.

Skill content
cd "$OPENCLAW_DIR"
npm list https-proxy-agent >/dev/null 2>&1 || npm install https-proxy-agent --save
Recommendation

Pin dependency versions, document the install step in metadata, and avoid modifying the installed OpenClaw package at runtime unless the user explicitly approves.

Medium
#ASI10: Rogue Agents
What this means

Future OpenClaw gateway traffic may continue using the configured proxy until the systemd service file is manually restored or edited.

Why it was flagged

The script writes persistent proxy settings into the OpenClaw gateway service. This can keep affecting future gateway traffic after the repair task is complete.

Skill content
SERVICE_FILE="$HOME/.config/systemd/user/openclaw-gateway.service"
...
Environment=HTTP_PROXY=http://$LOCAL_IP:$PROXY_PORT
Environment=HTTPS_PROXY=http://$LOCAL_IP:$PROXY_PORT
Environment=ALL_PROXY=http://$LOCAL_IP:$PROXY_PORT
Recommendation

Document exactly what traffic is affected, provide an undo command, and ask the user to confirm persistent proxy changes before writing them.