WhatsApp FAQ Bot

The `scripts/faqbot.py` file contains vulnerabilities related to file system access. The `import` command (`cmd_import`) allows reading arbitrary files from the filesystem (Local File Inclusion) by not validating the provided `filepath`. Similarly, the `export` command (`cmd_export`) allows writing the knowledge base content to arbitrary files (Local File Write) by not validating the `output` path. These flaws could be exploited by an attacker controlling the arguments passed to the script (e.g., via prompt injection against the OpenClaw agent) to read sensitive files or create/overwrite files in arbitrary locations, potentially leading to information disclosure or remote code execution, but there is no evidence of intentional malicious behavior within the script itself.