WhatsApp Validate
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill appears to do its stated local WhatsApp-cache check, but it reads a WhatsApp session/credential cache and can list cached phone numbers, which is sensitive and under-declared.
Install only if you are comfortable with the agent reading the local WhatsApp/Baileys session cache under .openclaw and printing cached phone numbers. Avoid using the list command unless you specifically want cached contacts exposed in the conversation or logs.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The skill may reveal information tied to the connected WhatsApp account, including numbers present in the local session cache.
The script directly targets the local WhatsApp/Baileys credential/session area, but the registry metadata declares no required credential or config path. This is sensitive account-adjacent local state.
const CREDS_PATH = path.join(process.env.OPENCLAW_STATE_DIR || path.join(os.homedir(), '.openclaw'), 'credentials', 'whatsapp', 'default');
Only use this skill if you intend to let it read that WhatsApp session cache. The skill should declare the required config path/credential access and require explicit user approval before accessing it.
A user or agent invocation could expose a list of phone numbers and WhatsApp JIDs from prior interactions with the connected account.
The skill reads persistent cached contact data and adds phone numbers to the output set; the documented list command can then enumerate cached numbers.
const contacts = JSON.parse(fs.readFileSync(contactsPath, 'utf8')); ... numbers.add(jid.replace('@s.whatsapp.net', ''));Prefer checking only user-supplied numbers, add an explicit confirmation step for list/batch operations, and document what local cache files are read and what data may be printed.