Back to skill

Security audit

WhatsApp Business Al Assistant

Security checks across malware telemetry and agentic risk

Overview

This WhatsApp automation skill is not malware, but it needs Review because it can store customer chats, book appointments, send follow-ups, and share details with other services without enough consent and retention guidance.

Review before installing. Use least-privilege test credentials first, secure or replace the plaintext .env file, avoid ngrok in production unless hardened, define how long chats/leads are retained, disclose storage and third-party sharing to customers, require explicit opt-in for marketing and recurring follow-ups, and keep human approval around clinic, prescription, complaint, refund, broadcast, and booking workflows.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Rogue AgentSelf-Modification, Session Persistence
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (15)

Lp3

Medium
Category
MCP Least Privilege
Confidence
89% confidence
Finding
The skill declares required binaries and provides numerous shell commands and script entry points, but does not declare corresponding permissions/capabilities in a way that would clearly inform users or the platform about shell execution. This creates a trust and review gap: operators may run installation, webhook, and export scripts with less scrutiny than they should.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The README promotes automatic handling, logging, lead scoring, and follow-up of WhatsApp conversations but provides no warning about consent, retention, privacy, or sensitive customer data. In a messaging/business context, this can lead operators to deploy customer-data processing that is non-compliant or unsafe, especially where chats may include health, booking, or contact information.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill advertises appointment booking, CRM logging, calendar integration, and clinic use cases without any caution about customer-data exposure, authorization boundaries, or integrity risks from automated actions. Because it touches scheduling systems and stores lead records, missing safety guidance increases the chance of unauthorized data handling, accidental disclosure, or harmful automation in operational systems.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill explicitly logs leads, stores raw conversation transcripts, and posts data to external CRM/webhooks, but does not present any meaningful privacy notice, consent flow, retention policy, or data-minimization guidance. Because this skill processes customer communications and contact details, the missing disclosure and controls materially increase the risk of privacy violations and unauthorized data sharing.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The booking templates use broad, overlapping intents such as 'booking', 'tour_inquiry', 'membership_inquiry', and 'reservation', which can cause the wrong workflow to activate if this shared template set is loaded across multiple business types. In a customer-facing WhatsApp automation context, misrouting can lead to collecting incorrect details, sending inaccurate business information, and creating unauthorized or failed bookings.

Vague Triggers

Medium
Confidence
84% confidence
Finding
Using the generic 'general' intent for greeting flows is ambiguous and may cause routine user messages to trigger a greeting instead of a more specific support, booking, or complaint flow. In this skill, that mainly creates conversation confusion and could delay handling of user requests, but it does not by itself expose secrets or enable code execution.

Vague Triggers

Medium
Confidence
86% confidence
Finding
The after-hours greeting also relies on a generic 'general' intent, so common user messages sent at night could be diverted into a greeting flow rather than the correct operational path. Because this is a business messaging assistant, the main risk is missed or delayed customer handling and inaccurate expectations about support availability rather than direct security compromise.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The file defines multiple automated outreach flows, including scheduled recurring promotional messaging, without any clear user-facing disclosure that messages may be sent automatically or on an ongoing basis. In a WhatsApp business messaging context, this increases the risk of non-consensual or unexpected contact, user complaints, and policy/compliance violations, especially for the recurring promotion flow.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The 'general' intent aliases include extremely common conversational tokens such as 'hi', 'yes', 'no', 'ok', and 'thanks', which are likely to appear in many unrelated exchanges. In a WhatsApp business automation context, this can cause unintended intent matches, derail conversation state, and trigger the wrong automated workflow or response at high frequency.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The 'lead' intent uses broad aliases such as 'info', 'information', and 'tell me more', which can match ordinary conversational requests that are not genuine sales leads. In this skill, that can incorrectly classify users into lead-capture or follow-up flows, causing privacy, consent, and business-process issues such as unwanted contact or inaccurate CRM entries.

Vague Triggers

Medium
Confidence
80% confidence
Finding
The 'complaint' intent includes broad terms like 'bad', 'poor', 'problem', and 'issue', which can appear in many contexts unrelated to an actual complaint. In a customer-service automation system, this may route neutral or informational messages into escalation, refund, or cancellation handling paths, creating service disruption and erroneous business actions.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The workflow requests a customer's phone number for confirmation but shows no notice about why the data is collected, how it will be used, or whether it will be retained. In a WhatsApp business context handling personal contact data, lack of disclosure creates privacy and compliance risk and can lead to unauthorized or unexpected downstream processing.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The workflow creates calendar events and persists customer details in a leads database without any visible disclosure or consent step. This expands the data footprint beyond the chat session and can expose personal information to additional systems, users, and retention policies the customer was never told about.

Missing User Warnings

High
Confidence
97% confidence
Finding
On failure, the workflow sends the customer's name, phone number, and booking details into Slack without any visible user disclosure. Sharing personal data into a broad internal messaging platform materially increases exposure risk because channels may have many members, weaker retention controls, integrations, and message forwarding beyond the original business purpose.

Session Persistence

Medium
Category
Rogue Agent
Content
### 3. Configure environment

Create `~/.openclaw/skills/whatsapp-business-ai/.env`:

```env
WHATSAPP_PHONE_NUMBER_ID=your_phone_number_id
Confidence
87% confidence
Finding
Create `~/.openclaw

VirusTotal

41/41 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.