WhatsApp Group Admin
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill is mostly read-only, but it deserves review because it reads local WhatsApp credential/profile files to list group information without declaring that sensitive access.
Only install or use this if you are comfortable letting the agent inspect your local OpenClaw WhatsApp credential/profile directory and show group metadata in the conversation. Prefer running list/info only when explicitly needed; the provided code does not show network exfiltration or destructive group changes.
Findings (1)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Running the list or info commands can disclose WhatsApp group IDs, names, creation times, and member counts to the agent/chat context.
The script accesses the local WhatsApp credential/profile directory and contacts file to infer group names and member counts. That is sensitive account state, and the registry metadata declares no primary credential or required config path.
const CREDS_PATH = path.join(... '.openclaw'), 'credentials', 'whatsapp', 'default'); ... fs.readdirSync(CREDS_PATH); ... const contactsPath = path.join(CREDS_PATH, 'contacts.json');
Declare the WhatsApp credential/config path in metadata and SKILL.md, explain exactly what is read and output, and ask the user before enumerating all groups.