WhatsApp Local Endpoints Router
PassAudited by ClawScan on May 10, 2026.
Overview
The skill does what it claims—forward WhatsApp text or a QR image to a local HTTP service—but users should understand that message content is sent to that service.
This appears safe if you intentionally run a trusted local service on port 8080 for processing WhatsApp text and QR images. Before installing, verify the local endpoint and BASE_URL setting, and avoid sending private images or messages unless you trust that service.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
WhatsApp text entered through the skill will be sent to the configured local service for processing.
The skill executes a shell script that sends user-provided WhatsApp text to an HTTP endpoint. This is expected for the router purpose and is JSON-encoded, but it is still network-capable tool use.
curl --silent --show-error --max-time "$TIMEOUT" ... -X POST "$BASE_URL/process" ... -d "$PAYLOAD"
Only use this skill when you trust the local endpoint and understand what it will do with the submitted text.
A selected QR image, and any content inside it, may be sent to whatever service BASE_URL points to.
The destination defaults to localhost, but it can be changed through BASE_URL, and image files are uploaded to that configured endpoint. This is purpose-aligned but makes the endpoint boundary important.
BASE_URL="${BASE_URL:-http://localhost:8080}" ... -F "image=@$ARG"Verify that BASE_URL is unset or points to a trusted local service before routing private WhatsApp images.
The skill may fail or behave differently on systems without those tools available.
The script depends on bash, python3, and curl, while the registry metadata declares no required binaries. This is not malicious, but the runtime prerequisites are under-declared.
#!/usr/bin/env bash ... PAYLOAD="$(python3 - <<'PY' "$ARG" ... curl --silent --show-error
Confirm bash, curl, and python3 are present and expected on the host running the skill.