Skillv1.0.0

ClawScan security

WhatsApp Group Admin · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousFeb 19, 2026, 4:42 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's functionality (group info/stats) matches its code, but there are inconsistencies: it reads local WhatsApp credential/state files while declaring no required binaries or config paths, and the documentation does not clearly warn about this sensitive local access.
Guidance: This skill appears to do what it says (count group members, parse invite links, create templates) but it reads local OpenClaw/WhatsApp state files (sender-key-* files and contacts.json) which may include sensitive contact or group metadata. Before installing: (1) confirm you are comfortable granting the skill read access to ~/.openclaw/credentials/whatsapp/default (or set OPENCLAW_STATE_DIR to a safe path); (2) note the skill assumes node is available — the package metadata does not declare this requirement; (3) inspect the included scripts/admin.js yourself (it is short and readable) or run it in a sandbox to verify behavior; (4) if you do not want any skill to access local WhatsApp state, do not install or disable autonomous invocation for this skill; (5) ask the author/registry to update metadata to list required binary 'node' and to declare the config path(s) it reads so users can make an informed decision.

Review Dimensions

Purpose & Capability: noteThe code implements WhatsApp group info, stats, invite parsing and templates which matches the skill's description. However, the code requires access to local OpenClaw/WhatsApp state (credentials directory) to enumerate groups/members—this is reasonable for the stated purpose but the skill metadata does not declare that requirement.
Instruction Scope: concernSKILL.md instructs running node <skill_dir>/scripts/admin.js but does not mention that the script will read the user's OpenClaw WhatsApp credentials/state directory (defaults to $HOME/.openclaw/credentials/whatsapp/default or OPENCLAW_STATE_DIR). The script reads sender-key files and contacts.json, which may contain sensitive contact/group metadata. The instructions fail to warn the user about local file access.
Install Mechanism: noteThere is no install spec (instruction-only), which minimizes install-time risk. However the skill includes a JS script that is intended to be run with 'node' — despite registry metadata declaring no required binaries. The absence of 'node' from required binaries is an inconsistency that should be corrected.
Credentials: concernThe registry lists no required env vars or config paths, but the code reads OPENCLAW_STATE_DIR (if set) and falls back to ~/.openclaw/credentials/whatsapp/default. That path effectively gives the skill access to local WhatsApp credential/state files. The skill requests no external API keys, which is appropriate, but the undeclared local credential access is sensitive and should be explicitly declared.
Persistence & Privilege: okalways is false and the skill does not request persistent installation or modify other skills or system-wide settings. The skill can be invoked autonomously by the agent (platform default); combined with its local credential access this increases the potential blast radius, but autonomy alone is not a disqualifier.