ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

WAHA Onboarding

v0.1.0

Onboard a new user to WhatsApp via WAHA—greet them, collect and sanitize their phone number, create/start a WAHA session, request and share a pairing code, v...

0· 45·0 current·0 all-time
by@lotfinity
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The SKILL.md describes WhatsApp onboarding via WAHA, which legitimately requires calling a WAHA client. However the skill metadata declares no required binaries, no install spec, and no environment variables, while the instructions repeatedly run 'waha-cli' commands. The dependency on a local CLI (and any credentials/config that CLI uses) is expected for this purpose but is not declared in the manifest — an inconsistency.
Instruction Scope
The instructions stick to a clear onboarding flow: collect and sanitize a phone number, create/start a session, request a pairing code, and verify auth. They only reference the user's provided phone number and the 'waha-cli' commands; they do not instruct reading arbitrary files or unrelated environment variables.
Install Mechanism
This is instruction-only and contains no install specification or downloads, which minimizes direct install risk. The runtime does execute shell commands (waha-cli), but no install step is defined by the skill itself.
!
Credentials
The skill declares no required environment variables or binaries, yet the runtime instructions require 'waha-cli' to be present and likely rely on whatever local authentication/configuration that CLI uses. The skill does not declare this dependency or any credentials it might consume, which is disproportionate and opaque — you don't know what local secrets/config the CLI will access when invoked.
Persistence & Privilege
The skill is not always-on and does not request persistent or elevated platform privileges in the metadata. Nothing in SKILL.md attempts to alter other skills or system-wide settings.
What to consider before installing
This skill appears to do what it says (onboard WhatsApp via WAHA) but its manifest omits that it needs a local 'waha-cli' binary and any credentials/config that binary might use. Before installing or enabling it: 1) verify where 'waha-cli' comes from and whether you trust that software; 2) confirm whether the CLI will access stored credentials or create network connections and review those policies; 3) test the flow in a safe environment (sandbox or VM) to observe what files/network calls the CLI performs; 4) require explicit user consent before running the CLI commands that will create sessions or share pairing codes; and 5) ask the skill author/maintainer to update the manifest to declare the required binary and any environment/config dependencies. If you cannot verify the origin and behavior of 'waha-cli', avoid running this skill on sensitive systems.

Like a lobster shell, security has layers — review code before you run it.

latestvk978psvbhcpjmhjaz6exemk6nd83r4rg

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments