ClawHub

WhatsApp Chats

v1.0.0

List, search, and analyze WhatsApp conversations

0· 1.2k·6 current·6 all-time
byMarcos Santos@marcosrippel
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description claim to read/search a local Baileys WhatsApp session cache; the script's behavior matches that: it enumerates files under a credentials path and reads contacts.json to build chat lists. That purpose is coherent with the code. However, the skill metadata does not declare required binaries (the SKILL.md calls node) nor the credentials/config path it reads, which is an omission.
!
Instruction Scope
SKILL.md instructs the agent to exec node scripts/chats.js which will read the local OpenClaw-state WhatsApp credentials directory (OPENCLAW_STATE_DIR or ~/.openclaw/credentials/whatsapp/default) and parse filenames and contacts.json. The instructions do not explicitly warn that local credential/session files will be read nor declare the config path. The agent will therefore access potentially sensitive local files without that being surfaced in the skill metadata or usage instructions.
Install Mechanism
There is no install spec (code is executed from the skill directory). This is lower installation risk; no external downloads or package installations are performed by the skill itself.
!
Credentials
The skill declares no required env vars or config paths, yet the code reads process.env.OPENCLAW_STATE_DIR (if set) and falls back to ~/.openclaw/credentials/whatsapp/default. It therefore accesses a local credentials directory (sensitive data) without declaring it. Also SKILL.md requires the 'node' binary but metadata lists none — a mismatch that affects runtime expectations.
Persistence & Privilege
The skill is not always-enabled and does not request system-wide persistence or modify other skills. It runs on-demand and does not attempt to write configuration or change other skills' settings.
What to consider before installing
This skill will run a Node script that reads your local OpenClaw state directory (OPENCLAW_STATE_DIR or ~/.openclaw/credentials/whatsapp/default) and parses WhatsApp session filenames and contacts.json. That directory can contain sensitive session/identity information. Before installing or invoking: (1) confirm you trust the skill author (source is unknown), (2) be aware that SKILL.md requires the 'node' binary even though metadata doesn't list it, (3) inspect the script (already included) and ensure you are comfortable with it reading your credentials directory, (4) consider running it in a sandboxed environment or on a copy of your credentials directory, and (5) request the maintainer to explicitly declare required binaries and the config path in the skill metadata so the data access is transparent. If you do not want a skill to access your WhatsApp session files, do not install or run it.

Like a lobster shell, security has layers — review code before you run it.

baileysvk97fgv5k5zz06djz1g7hs1kb9981d76echatsvk97fgv5k5zz06djz1g7hs1kb9981d76econversationsvk97fgv5k5zz06djz1g7hs1kb9981d76elatestvk97fgv5k5zz06djz1g7hs1kb9981d76eofflinevk97fgv5k5zz06djz1g7hs1kb9981d76ewhatsappvk97fgv5k5zz06djz1g7hs1kb9981d76e

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments