Security audit · WhatsApp

Security checks across malware telemetry and agentic risk

Overview

This is a coherent official WhatsApp channel plugin, but it handles private chats, media, and WhatsApp session state so users should configure it carefully.

Install only if you trust OpenClaw and want agents connected to WhatsApp. Use a separate WhatsApp number when possible, keep DM/group allowlists narrow, avoid enabling messageReceived hooks unless all loaded plugins are trusted, review who can issue channel commands, and treat local logs, saved media, transcripts, and WhatsApp Web credentials as sensitive data.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (9)

Intent-Code Divergence

Medium

Confidence: 96% confidence
Finding: The reaction path can produce String(messageIdRaw) even when resolveReactionMessageId returns null/undefined, because the fallback validation only checks params.messageId and does not stop execution if messageIdRaw remains absent. This can send a reaction request with the literal message ID "undefined", causing reactions to target an invalid message, potentially fail unpredictably, or affect downstream logic that assumes a valid identifier.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The README explicitly describes monitoring and replying to WhatsApp chats but provides no warning about privacy, consent, retention, or message-handling risks. For a messaging integration, this omission can lead users to deploy the plugin in ways that expose private communications, create unauthorized surveillance, or mishandle sensitive data.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The code logs WhatsApp sender identifiers such as phone numbers and names in verbose paths, including blocked senders, pairing requests, and reply failures. These identifiers are sensitive personal data, and if logs are retained, exported, or viewed by operators without strict controls, they can leak contact information and message relationship metadata.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The tool exposes a `force` parameter that is passed directly into `startWebLoginWithQr`, allowing a caller to forcibly initiate or overwrite a WhatsApp web-linking session. In a login/linking context, this is security-sensitive because it can disrupt an existing session or trigger relinking without any explicit confirmation, warning banner, or authorization check visible in this file.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: This code automatically downloads inbound WhatsApp media and persists it locally via saveMediaStream, but there is no user-facing notice, consent, or retention control visible in this file. That creates a privacy and data-handling risk because senders may not expect attachments to be stored on disk, and sensitive media could remain accessible to the host environment or backups.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The code transcribes audio from locally saved inbound media during preflight processing without any user-facing warning or consent mechanism shown here. Transcription materially increases privacy exposure because voice content is converted into searchable text, can be propagated into logs/context, and may reveal sensitive information beyond the original media handling expectation.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: This code allows outbound media to be loaded from arbitrary URLs and, when a readFile capability is provided, explicitly enables local file access with `localRoots: "any"`. That creates an SSRF/local file exposure risk because an actor controlling `mediaUrl` can cause the agent to fetch internal network resources or sensitive local files and then transmit them over WhatsApp, with no user-facing warning or strong restriction visible in this file.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The schema explicitly exposes a pluginHooks.messageReceived option that can broadcast inbound WhatsApp message payloads to all loaded plugins, but the manifest text shown here does not provide a strong user-facing privacy warning or consent boundary. In a messaging plugin context, inbound chat content can contain sensitive personal, business, or authentication data, so broad plugin fan-out increases the risk of unintended data exposure if any loaded plugin is over-privileged or compromised.

Missing User Warnings

Medium

Confidence: 84% confidence
Finding: The UI hint states that WhatsApp can write configuration in response to channel events or commands, which creates a channel-driven configuration mutation path without a corresponding safety warning about trust boundaries, authorization, or rollback. In a chat-integrated agent, this can let message-triggered actions alter runtime policy or routing behavior, increasing the chance of unauthorized reconfiguration or persistent misconfiguration if upstream command handling is weak.

VirusTotal

60/60 vendors flagged this plugin as clean.

View on VirusTotal