WhatsApp Forward
PassAudited by ClawScan on May 1, 2026.
Overview
This appears to be a small local WhatsApp utility with no evidence of hidden network access, credential use, persistence, or destructive behavior.
This skill looks safe to install for its stated utility purpose. Be aware that it runs a local Node.js script and handles contact/link text supplied to it, so use proper quoting and only process contact data you intend to include in the generated output.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If an agent constructs the command unsafely from unusual contact names or links, shell-special characters could cause unintended command behavior.
The skill is intended to be invoked through a command string with user-supplied arguments. This is expected for this CLI-style utility, but it means callers should avoid blindly interpolating untrusted text into the shell command.
exec({ cmd: "node <skill_dir>/scripts/forward.js COMMAND [ARGS]" })Use structured argument passing where available, or carefully quote/escape names, phone numbers, JSON contact lists, and invite links before invoking the command.
The skill may fail or behave inconsistently on systems without Node.js installed.
The skill requires a local Node.js runtime, while the registry requirements list no required binaries. This is under-disclosed setup information, but the included script itself is present and simple.
node <skill_dir>/scripts/forward.js
Declare Node.js as a required binary/runtime so users understand the local execution requirement before installing.