WhatsApp Common Groups
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill is read-only and purpose-related, but it scans your local WhatsApp credential/profile files to reveal group and member information that the metadata does not declare.
Review carefully before installing. This skill appears read-only, but it works by inspecting local WhatsApp credential/profile files and can reveal private group membership and phone-number data. Install it only if you are comfortable exposing that local WhatsApp state to the agent.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Running the skill can expose WhatsApp group IDs, group names, and member phone numbers from your local account state into the agent conversation or logs.
The script reads the local WhatsApp credential/profile directory to infer group membership. This sensitive account-state access is not reflected by the supplied metadata, which lists no primary credential or required config path.
path.join(os.homedir(), '.openclaw'), 'credentials', 'whatsapp', 'default'); ... const files = fs.readdirSync(CREDS_PATH);
Use only if you intentionally want the agent to inspect local WhatsApp state. The skill should clearly declare the credential/profile path it reads and require explicit user consent before accessing or listing membership data.
A user or agent could generate a list of WhatsApp numbers known from local group data, not just answer a single membership question.
The skill documents a broad enumeration command for known group members. It is disclosed and read-only, but it can reveal many private phone numbers if invoked.
### List All Known Members Across Groups
exec({ cmd: "node <skill_dir>/scripts/common.js all-members 50" })Invoke the all-members command only when you specifically want a broad membership listing, and consider limiting or removing this command if single-contact checks are the intended use.