Security audit · WhatsApp

Security audit

Security checks across malware telemetry and agentic risk

Overview

This is a coherent official OpenClaw WhatsApp channel plugin, with sensitive but expected chat, media, and WhatsApp session behavior.

Install only if you intend OpenClaw to connect to a WhatsApp account and process configured chats. Review DM/group allowlists, pairing mode, media access, and who can trigger replies before enabling it, and inform chat participants where appropriate.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (5)

Context-Inappropriate Capability

Medium

Confidence: 92% confidence
Finding: The legacy helper reconstructs an admitted access-control state from deprecated top-level fields and treats any message as admitted unless `accessControlPassed === false`. That fail-open compatibility behavior can let untrusted or forged message objects appear authorized without rerunning current policy checks, which weakens the integrity of downstream authorization decisions.

Intent-Code Divergence

Low

Confidence: 84% confidence
Finding: This helper lives in the access-control flow but does not enforce access checks; instead it fabricates an admission object from legacy fields. That can mislead callers into treating compatibility-normalized data as a security decision, increasing the chance of authorization bypass when legacy inputs are still accepted.

Context-Inappropriate Capability

Medium

Confidence: 90% confidence
Finding: This handler exposes a materially broader capability than its apparent purpose: in addition to reactions, it can upload media and send WhatsApp messages with captions. In an agent skill context, unexpected outbound messaging/file delivery expands the attack surface for abuse, policy bypass, and data exfiltration, especially if callers or reviewers assume the module is reaction-only.

Intent-Code Divergence

Medium

Confidence: 95% confidence
Finding: The file and API framing imply a reaction handler, but the dispatcher also accepts an "upload-file" action that sends media/messages. That mismatch can mislead reviewers, integrators, and allowlisting systems into granting this code broader operational privileges than intended, enabling covert outbound communication under an innocuous label.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The README explicitly states that agents can monitor and reply to WhatsApp chats, but it does not warn users that message contents may be collected, processed, retained, or acted on automatically. For a messaging integration, this omission can lead to uninformed deployment in private or sensitive conversations, increasing the risk of privacy violations, consent issues, and unsafe automation.

VirusTotal

60/60 vendors flagged this plugin as clean.

View on VirusTotal