Back to skill
Skillv1.0.0
VirusTotal security
WhatsApp Group Admin · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 4:13 AM
- Hash
- eab0dd58a2cf6f6b9f098b6c81fa83854307c33df9df9cb989d94f1a69abe511
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: whatsapp-group-admin Version: 1.0.0 The skill is classified as suspicious due to two main factors: 1) The `SKILL.md` instructs the agent to execute a Node.js script (`scripts/admin.js`) with user-provided arguments directly, which is a common pattern that can lead to shell injection vulnerabilities if the script does not adequately sanitize input. 2) The `scripts/admin.js` file accesses sensitive local files within the OpenClaw agent's credential directory (`OPENCLAW_STATE_DIR/credentials/whatsapp/default`), specifically `contacts.json` and `sender-key-*` files, to extract WhatsApp group and member information. While this file access is plausibly needed for the skill's stated purpose of WhatsApp group administration, it involves handling sensitive data locally, increasing the risk profile.
- External report
- View on VirusTotal