WhatsApp Common Groups

The skill accesses sensitive WhatsApp credential and state files (e.g., `sender-key-*`, `contacts.json`) located in `OPENCLAW_STATE_DIR/credentials/whatsapp/default`. While this access is necessary for the skill's stated purpose of managing WhatsApp groups and members, direct interaction with credential files is a high-risk operation. The `SKILL.md` instructs the agent to use `exec({ cmd: "node <skill_dir>/scripts/common.js COMMAND [ARGS]" })`, which could introduce a shell injection vulnerability if the OpenClaw agent does not properly sanitize `COMMAND` and `ARGS` before execution. However, the `common.js` script itself does not exhibit malicious intent, such as data exfiltration to external endpoints or persistence mechanisms; it processes the data and outputs it to `stdout` as JSON.