ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Whatsapp Diagnostics

v1.0.1

Diagnose and fix WhatsApp connectivity issues for OpenClaw agents. Use when: a PA is not responding, WhatsApp shows connected but messages don't arrive, the...

0· 78·1 current·1 all-time
byNetanel Abergel@netanel-abergel
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
high confidence
Purpose & Capability
The instructions match a WhatsApp diagnostics purpose (check gateway, restart, inspect logs, re-link QR). However the decision tree and health checks also validate external LLM provider API keys; while that can be relevant to diagnosing agent runtime failures, the skill metadata declares no required env vars or config paths — a mismatch between claimed requirements and actual checks.
Instruction Scope
SKILL.md instructs the agent to run OpenClaw CLI commands (openclaw gateway status/restart/logs, openclaw status, openclaw logs), grep a local log file (~/.openclaw/logs/agent.log), and run curl requests to external model provider endpoints. These actions are within troubleshooting scope but do access local logs and environment variables not declared in the registry metadata.
Install Mechanism
Instruction-only skill with no install spec or downloaded code. Nothing is written to disk by the skill itself — lowest install risk.
!
Credentials
The health-check script and Case 3 explicitly read ANTHROPIC_API_KEY, OPENAI_API_KEY, and GOOGLE_API_KEY and use them in network probes. The registry lists no required env vars or primary credential. The skill also reads a user-local log path (~/.openclaw/logs/agent.log). Requiring multiple provider keys and reading agent logs without declaring them is disproportionate to the metadata and should be justified or corrected.
Persistence & Privilege
The skill does not request always:true or persistent platform-wide privileges. It is user-invocable and allows model invocation (defaults), which is normal for skills.
What to consider before installing
This skill appears to be a legitimate CLI-based troubleshooting checklist, but it probes LLM provider API endpoints and reads local OpenClaw logs while declaring no required env vars or config paths. Before installing or running it: (1) confirm with the skill author why it needs to access OPENAI_API_KEY / ANTHROPIC_API_KEY / GOOGLE_API_KEY and whether those will be read automatically; (2) verify you are comfortable the skill will read ~/.openclaw/logs/agent.log and run openclaw CLI commands; (3) run the health-check script manually in a controlled environment (or inspect it) rather than granting automated/autonomous invocation until you’re satisfied; and (4) ensure API keys are stored securely and rotate them if you suspect they may be exposed. If the metadata is updated to declare the env vars and config path, and/or the skill is limited to explicit user-invoked runs, the concerns would be reduced.

Like a lobster shell, security has layers — review code before you run it.

latestvk977m5qnajy0y5md945ezmsdbn842qyf

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments