Heleni WhatsApp

Security checks across malware telemetry and agentic risk

Overview

This WhatsApp management skill is purpose-aligned, but it needs review because it can automatically reply/react, persist cleartext private chat data, and includes admin troubleshooting commands.

Install only if you intend the agent to manage WhatsApp conversations and keep local memory. Set clear rules for which chats may be logged, how long records are kept, who can read them, whether automatic sends are allowed, and require explicit approval before gateway restarts, log review, or API-key checks.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (4)

Context-Inappropriate Capability

Medium

Confidence: 96% confidence
Finding: The troubleshooting section expands the skill beyond WhatsApp memory/tracking into infrastructure control (`openclaw gateway restart`, log inspection) and credential-backed external API validation. In an agent skill, this increases the blast radius from passive file operations to operational control and secret use, creating opportunities for unintended service disruption or credential misuse if the instructions are followed automatically.

Description-Behavior Mismatch

Medium

Confidence: 94% confidence
Finding: The skill claims all operations are file-based and require no reasoning, but later instructs network access and service-management commands. This mismatch is dangerous because it can cause operators or orchestrators to grant the skill broader trust or permissions than they would if its real behavior were disclosed, enabling unexpected side effects.

Ssd 3

Medium

Confidence: 97% confidence
Finding: The skill requires persistent per-conversation logging after every significant DM exchange, including names, roles, discussion topics, status, and related identifiers in plain files. In a WhatsApp-management skill, this is especially sensitive because it centralizes private communications and metadata into local natural-language records that are easy to exfiltrate, over-retain, or reuse outside the original context.

Ssd 3

Medium

Confidence: 98% confidence
Finding: The unanswered-message tracker stores and repeatedly displays message bodies, sender names, phone numbers, timestamps, and chat context in a shared JSON file. This materially increases privacy and data-leak risk because a broad set of user communications is retained in cleartext and then surfaced during heartbeat and review workflows, multiplying exposure of sensitive personal data.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal