ClawHub

skill

Security checks across malware telemetry and agentic risk

Overview

This is a coherent WhatsApp Business integration, but it enables live messaging and destructive business-account actions without enough user-confirmation guidance.

Install only if you trust Maton with your WhatsApp Business workflow. Use least-privilege credentials, explicitly specify the intended connection for every mutating action, verify recipient numbers and resource IDs before use, and require manual approval before sending messages or deleting or changing business resources.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill is explicitly designed to send WhatsApp messages and manage live WhatsApp Business resources, including deleting connections and media, but it does not prominently require user confirmation or warn that data will be transmitted to external third-party services. In an agent setting, this can cause unintended outbound communication or destructive actions on a production business account.

Tool Parameter Abuse

High
Category
Tool Misuse
Content
#### Delete Media

```bash
DELETE /whatsapp-business/v21.0/{media_id}
```

### Message Templates
Confidence
91% confidence
Finding
DELETE /whatsapp-business/v21.0/{media_id}

Tool Parameter Abuse

High
Category
Tool Misuse
Content
#### Delete Template

```bash
DELETE /whatsapp-business/v21.0/{whatsapp_business_account_id}/message_templates?name=template_name
```

### Phone Numbers
Confidence
92% confidence
Finding
DELETE /whatsapp-business/v21.0/{whatsapp_business_account_id}/message_templates?name=template_name

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal