ClawHub

P-API - WhatsApp API

Security checks across malware telemetry and agentic risk

Overview

The skill is documentation-only and purpose-aligned, but it enables real WhatsApp messaging, instance deletion, and webhook data forwarding without clear safety controls or warnings.

Install only if you understand that the connected API key may let an agent send real WhatsApp messages, alter or delete service state, change groups, and forward conversation events to external systems. Use a limited-scope key, test instance, trusted HTTPS webhook endpoints, and require explicit approval for sends, deletions, group changes, and webhook setup.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill advertises WhatsApp automation, instance management, and webhook features without warning users about privacy, consent, or sensitive data handling. Because this skill enables outbound messaging and event delivery from user conversations, omission of safety guidance increases the risk of misuse, unauthorized outreach, and accidental exposure of personal data to third-party endpoints.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The documentation includes destructive instance deletion functionality without any caution about permanence, service disruption, or verification steps. In an automation context, users may invoke deletion casually or through misconfigured agents, causing loss of active WhatsApp connectivity, configuration, and operational downtime.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The webhook and WebSocket examples instruct users to forward event data to external endpoints but do not warn that message contents, metadata, and instance identifiers will leave the system boundary. This omission can lead operators to send sensitive conversation data to third-party services without proper trust review, minimization, authentication, or privacy controls.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal