Security audit

WhatsApp Validate

Security checks across malware telemetry and agentic risk

Overview

This skill does what it says: it checks and can list phone numbers from a local WhatsApp/Baileys cache, with no evidence of exfiltration or hidden behavior.

Install only if you are comfortable letting the skill read the local WhatsApp/Baileys session cache for the connected account. Avoid running the list command unless you intentionally want cached phone numbers and JIDs printed into the agent conversation or logs.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (5)

Tp4

High

Category: MCP Tool Poisoning
Confidence: 96% confidence
Finding: The skill claims to only validate whether numbers exist in the local Baileys session cache, but its documented and analyzed behavior includes bulk enumeration, listing known numbers, and reading additional contact sources. This mismatch hides materially broader data-access behavior, which can enable privacy-invasive enumeration of previously seen contacts and mislead operators about the scope of the tool.

Description-Behavior Mismatch

Medium

Confidence: 96% confidence
Finding: The skill description says it validates whether specific numbers exist in the local cache, but the code additionally implements bulk disclosure of all cached numbers. That expands the capability from point validation to contact enumeration, exposing historical WhatsApp identifiers derived from credential-backed session data and increasing privacy and misuse risk.

Context-Inappropriate Capability

Medium

Confidence: 98% confidence
Finding: The CLI exposes a `list` command that returns cached phone numbers and JIDs, which is not necessary for validating whether a supplied number exists. In this context, that enables straightforward enumeration of sensitive contact/cache data from local WhatsApp session state, making privacy leakage and unauthorized harvesting more likely.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The skill omits a privacy warning despite enabling enumeration of phone numbers previously seen by the connected WhatsApp account. In this context, that makes the capability more dangerous because the skill is specifically about validating phone numbers, and batch/list operations can be used to profile contacts or infer prior interactions without clear user awareness.

Missing User Warnings

Medium

Confidence: 87% confidence
Finding: The code reads from the local OpenClaw WhatsApp credential/session directory and surfaces phone numbers/JIDs from session and contacts data without any warning, consent check, or access restriction. Because this data is credential-backed and tied to prior interactions, exposing it through a utility command can leak sensitive relationship/contact information to whoever can invoke the skill.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal