Back to skill
Skillv1.0.0
VirusTotal security
WhatsApp Contacts · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 4:13 AM
- Hash
- 34656d22b350efd293cff17388133c162c0a42b7f90f61ed9a6a3ab68719b7b9
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: whatsapp-contacts Version: 1.0.0 The skill is classified as suspicious due to its direct access to sensitive local files containing WhatsApp session and contact data. The `scripts/contacts.js` file reads from `process.env.OPENCLAW_STATE_DIR/credentials/whatsapp/default/store.json` or `contacts.json`. While this behavior aligns with the skill's stated purpose of listing and searching WhatsApp contacts, accessing such sensitive local credential/session stores represents a significant high-risk capability. There is no evidence of data exfiltration, persistence, or other malicious intent within the skill's code itself, but the exposure of this sensitive data via `console.log` could be leveraged by a malicious agent prompt for unauthorized exfiltration.
- External report
- View on VirusTotal