ClawHub

Whatsapp Diagnostics

Security checks across malware telemetry and agentic risk

Overview

This is a visible WhatsApp troubleshooting guide, but some optional checks use live provider API keys and should be run carefully.

Use this in a trusted shell, and treat the API-key checks as live outbound credential use. Avoid sharing logs or command output without redacting secrets, and coordinate gateway restarts on shared OpenClaw infrastructure.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The skill instructs operators to validate third-party LLM API keys by reading local environment variables and sending authenticated requests to external provider endpoints. Even if intended for troubleshooting, this expands the skill from WhatsApp diagnostics into generalized credential testing and can cause unintended use or disclosure of sensitive credentials over the network without a clear necessity tied strictly to WhatsApp transport health.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The quick health check script automatically detects provider API keys in environment variables and uses them to probe external model APIs. This creates a reusable credential-validation capability beyond the advertised WhatsApp troubleshooting scope, increasing the chance that sensitive secrets are handled or transmitted in contexts where the user may not expect it.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The API-key validation commands send live credentials to external services but do not explicitly warn the operator that secrets will be transmitted off-host. In a diagnostic skill, this can surprise users, violate expected privacy boundaries, and increase the risk of accidental credential exposure through misuse, logging, shell history, or execution in the wrong environment.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The quick health check script reads sensitive environment variables and automatically sends them in HTTP requests without a clear privacy or safety notice. Because the behavior is bundled into a convenience script, operators may run it reflexively, causing secret-bearing outbound traffic that is not obvious from the skill's WhatsApp-focused description.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal