MH wacli
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If used incorrectly, the agent could send a message or file to the wrong WhatsApp recipient.
The skill exposes a CLI action that can send WhatsApp messages or files to other people. The same file also requires explicit recipient, message text, and confirmation, so this is disclosed and controlled rather than hidden.
Text: `wacli send text --to "+14155551212" --message "Hello! Are you free at 3pm?"`
Only approve sends after checking the recipient, message text, and any file path carefully.
Anyone or anything using the authenticated CLI may be able to act through the connected WhatsApp account within wacli’s capabilities.
QR login gives the CLI delegated access to the user's WhatsApp account, which is expected for this integration but is still a significant account permission.
`wacli auth` (QR login + initial sync)
Authenticate only if you trust the wacli CLI, and review or remove the linked WhatsApp session when you no longer need it.
Private WhatsApp history may be copied to local storage and later searched or reused by the agent for requested tasks.
The skill can continuously sync WhatsApp history and store it locally. This is disclosed and matches the search/sync purpose, but it involves persistent private chat data.
`wacli sync --follow` (continuous sync) ... Store dir: `~/.wacli` (override with `--store`).
Run sync only when needed, consider using a dedicated `--store` location, and remove stored data when finished.
The installed wacli binary may change over time, so behavior could differ from what was current when this skill was published.
The Go install option uses an unpinned `@latest` dependency, and the CLI implementation is not included in the skill artifacts reviewed here.
`module`: `github.com/steipete/wacli/cmd/wacli@latest`
Install from a trusted source and consider pinning or reviewing the wacli version you use.