WhatsApp Validate
v1.0.0Check if phone numbers exist in the local Baileys session cache
⭐ 0· 470·2 current·2 all-time
byMarcos Santos@marcosrippel
MIT-0
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The script's purpose (checking the local Baileys/WhatsApp cache) matches the skill name/description, but the skill manifest declares no required config paths or binaries while the code reads files from the user's OpenClaw credentials directory (~/.openclaw/... or OPENCLAW_STATE_DIR). Not declaring access to credential storage is a notable mismatch.
Instruction Scope
SKILL.md instructs the agent to exec a Node script but does not disclose that the script will read the user's WhatsApp credential directory and contacts.json. The runtime code enumerates session- and device-list files and reads contacts.json — it accesses local sensitive state (WhatsApp session/contacts) even though the instructions do not explicitly call this out.
Install Mechanism
There is no install spec (instruction-only) which is low risk, but the skill includes a JS script that requires node at runtime. The manifest did not list 'node' as a required binary. This omission is an inconsistency the user should be aware of (you must have Node available to run it).
Credentials
The code reads from a credential path derived from OPENCLAW_STATE_DIR or the default ~/.openclaw path and loads contacts/session files. The skill declares no required env vars or config paths in the registry metadata. Access to local credential files is sensitive and should have been declared; the requested access is proportionate to the described function but is not advertised in the manifest.
Persistence & Privilege
The skill is not always-included, does not request elevated/persistent privileges, does not modify other skills or system configuration, and contains no autonomous persistence behavior in the code.
What to consider before installing
This skill reads your local OpenClaw WhatsApp credential directory (~/.openclaw/credentials/whatsapp/default or the directory set by OPENCLAW_STATE_DIR) and parses session/device files and contacts.json to determine which phone numbers are known. It does not perform network calls in the included code, but the registry/manifest/SKILL.md do not declare the config path or the fact it requires Node. Before installing:
- If you plan to use it, verify you have Node and consider running the script manually in a safe environment first (e.g., a throwaway account or VM) to confirm behavior.
- If you use the skill with a real WhatsApp account, be aware it reads your session/contacts data — only install if you trust the skill owner and accept local exposure of that data.
- Ask the author to update the manifest/SKILL.md to declare required binaries (node) and the exact config path(s) this skill reads (or allow overriding with OPENCLAW_STATE_DIR), and to document privacy considerations.
- If you are uncomfortable, do not install or run it against a production account; run it in an isolated environment or inspect/modify the script to limit file reads to a safe test directory.Like a lobster shell, security has layers — review code before you run it.
baileyslatestofflinephonevalidateverificationwhatsapp
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
SKILL.md
WhatsApp Validate Skill
Validate whether phone numbers have been seen by the connected WhatsApp account.
Usage
exec({ cmd: "node <skill_dir>/scripts/validate.js COMMAND [ARGS]" })
Commands
Check Single Number
exec({ cmd: "node <skill_dir>/scripts/validate.js check \"5511999999999\"" })
Batch Check
exec({ cmd: "node <skill_dir>/scripts/validate.js batch \"5511999999999,5511888888888\"" })
List Known Numbers
exec({ cmd: "node <skill_dir>/scripts/validate.js list 50" })
Note
This skill checks the local cache only. A number not found may still have WhatsApp — it simply hasn't interacted with the bot yet.
Files
2 totalSelect a file
Select a file to preview.
Comments
Loading comments…