WhatsApp Utils
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill mostly does what it says, but it reaches into the local WhatsApp credential/cache directory and can print all cached contacts without declaring that access.
Review carefully before installing. This skill does not show exfiltration or destructive behavior, but only use it if you are comfortable with the agent reading your local OpenClaw WhatsApp cache and displaying contact data; prefer a version that declares this access and asks before exporting contacts.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If invoked, the agent can inspect the presence and size/count breakdown of WhatsApp credential, session, sender-key, device-list, and contact cache files on the user's machine.
The script targets a local WhatsApp credentials/session cache directory. That is high-impact local account/session state, and the supplied registry metadata declares no credential or required config path for this access.
const CREDS_PATH = path.join(process.env.OPENCLAW_STATE_DIR || path.join(os.homedir(), '.openclaw'), 'credentials', 'whatsapp', 'default');
Declare the WhatsApp state path and credential/cache access in metadata, document exactly which files are read, and require explicit user confirmation before inspecting local session/cache directories.
A full WhatsApp contact list could be exposed to the agent session when this command is run.
The export-contacts command reads the cached contacts file and prints phone numbers, names, and business flags to stdout. This is purpose-aligned, but the output is sensitive and may enter the agent transcript or logs.
const contacts = JSON.parse(fs.readFileSync(contactsPath, 'utf8')); ... console.log(JSON.stringify({ total: exported.length, contacts: exported }, null, 2));Run contact export only on explicit user request, add a privacy warning, and consider filters or previews so users can limit which contacts are displayed.