ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

jj

Send WhatsApp messages to other people or search/sync WhatsApp history via the wacli CLI (not for normal user chats).

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 1.6k · 1 current installs · 1 all-time installs
by@rafay0313
duplicate of @engahmedsalah358-lgtm/whats
MIT-0
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description, required binaries, and runtime instructions all align with a WhatsApp CLI integration. The skill only requires the wacli binary and the described commands (send, search, sync, backfill) match the documented purpose.
Instruction Scope
SKILL.md limits actions to explicit user requests to message third parties or sync/search history. It references the wacli store dir (~/.wacli) and sending files via --file, which is expected for a messaging CLI. There are no instructions to read unrelated system paths or environment variables.
Install Mechanism
Installers are Homebrew formula steipete/tap/wacli and a go module github.com/steipete/wacli — both are standard ways to obtain the wacli binary. This is reasonable, but installing from a third‑party Homebrew tap or building from a GitHub module carries normal third‑party code trust risk; review the upstream project if you need stronger assurance.
Credentials
The skill declares no environment variables or credentials. It does use the wacli store (~/.wacli) for auth, which is appropriate for a WhatsApp client and is disclosed in the instructions.
Persistence & Privilege
The skill is not always-enabled and does not request system-wide privileges. It relies on the installed wacli binary and the user's WhatsApp auth (QR-based) stored in ~/.wacli; it does not itself request persistent platform privileges.
Assessment
This skill appears to be what it claims, but it controls a tool that can message real people and uses local WhatsApp auth data. Before installing: (1) verify you trust the upstream project (https://wacli.sh and the GitHub repo) since the Homebrew tap and go module install third‑party code; (2) be aware wacli uses ~/.wacli for credentials—inspect that directory if needed and avoid sharing it; (3) confirm recipients and message content every time (the SKILL.md also requires this); (4) consider running wacli in a sandbox/container or installing it only when you need the capability; and (5) review wacli's documentation and source if you need stronger assurance about what the binary will do.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.0
Download zip
latestvk975jmqny8exw7xx6xr9wgnjex800mb4

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

📱 Clawdis
Binswacli

Install

Install wacli (brew)
Bins: wacli
brew install steipete/tap/wacli
Install wacli (go)
Bins: wacli
go install github.com/steipete/wacli/cmd/wacli@latest

SKILL.md

wacli

Use wacli only when the user explicitly asks you to message someone else on WhatsApp or when they ask to sync/search WhatsApp history. Do NOT use wacli for normal user chats; Clawdbot routes WhatsApp conversations automatically. If the user is chatting with you on WhatsApp, you should not reach for this tool unless they ask you to contact a third party.

Safety

  • Require explicit recipient + message text.
  • Confirm recipient + message before sending.
  • If anything is ambiguous, ask a clarifying question.

Auth + sync

  • wacli auth (QR login + initial sync)
  • wacli sync --follow (continuous sync)
  • wacli doctor

Find chats + messages

  • wacli chats list --limit 20 --query "name or number"
  • wacli messages search "query" --limit 20 --chat <jid>
  • wacli messages search "invoice" --after 2025-01-01 --before 2025-12-31

History backfill

  • wacli history backfill --chat <jid> --requests 2 --count 50

Send

  • Text: wacli send text --to "+14155551212" --message "Hello! Are you free at 3pm?"
  • Group: wacli send text --to "1234567890-123456789@g.us" --message "Running 5 min late."
  • File: wacli send file --to "+14155551212" --file /path/agenda.pdf --caption "Agenda"

Notes

  • Store dir: ~/.wacli (override with --store).
  • Use --json for machine-readable output when parsing.
  • Backfill requires your phone online; results are best-effort.
  • WhatsApp CLI is not needed for routine user chats; it’s for messaging other people.
  • JIDs: direct chats look like <number>@s.whatsapp.net; groups look like <id>@g.us (use wacli chats list to find).

Files

1 total
Select a file
Select a file to preview.

Comments

Loading comments…