ClawHub

WhatsApp Groups

Security checks across malware telemetry and agentic risk

Overview

This skill is a local WhatsApp group discovery helper whose sensitive file reads and optional config write are disclosed and aligned with its purpose.

Install only if you are comfortable with the agent reading the local WhatsApp/Baileys session for this bot account and seeing group IDs and names. Use list/search/get-id for read-only discovery; run sync only when you intend to let it edit openclaw.json, then review the added disabled group entries before enabling any group.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (6)

Lp3

Medium
Category
MCP Least Privilege
Confidence
90% confidence
Finding
The skill invokes a Node.js script and its documented behavior depends on access to environment/session-related data, yet it declares no permissions. This creates hidden capability use and undermines least-privilege controls, making it easier for a caller or reviewer to underestimate what data the skill can access.

Tp4

High
Category
MCP Tool Poisoning
Confidence
96% confidence
Finding
The skill is described as read-oriented discovery/search functionality, but it also includes a sync operation that writes to and modifies openclaw.json by adding groups with default settings. This mismatch is dangerous because users may authorize or run the skill expecting a non-destructive metadata query tool, while it can silently alter persistent configuration and expand downstream exposure or automation scope.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The skill description says it discovers, lists, and searches WhatsApp groups, but the implementation also mutates the global OpenClaw configuration by adding entries to openclaw.json. This is a scope-expansion issue: even if the added groups are disabled by default, modifying shared configuration is a side effect users may not expect from a discovery utility and can affect other components that trust that config.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The code writes directly to the global OpenClaw configuration despite the stated purpose being group discovery/search, creating an unnecessary privileged side effect. Because this file is shared application state, unexpected writes can alter behavior outside this skill, weaken least-privilege boundaries, and make it easier for future changes to turn a read-only helper into a persistence or policy-modification path.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill reads Baileys WhatsApp session cache data and exposes group metadata, but the description does not warn about this sensitive data access. In context, this is more dangerous because session-derived data can reveal private group identities, IDs, and participation details that operators may not expect to be enumerated or surfaced by a seemingly simple group utility.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The script accesses local WhatsApp session data and application configuration from the user's state directory without any explicit disclosure or consent mechanism. In this context, those files reveal private group identifiers, names, and account metadata, so silent access increases privacy risk and can surprise users who reasonably expect a listing tool to explain that it reads sensitive local session artifacts.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal