jj
ReviewAudited by ClawScan on May 10, 2026.
Overview
This is a coherent WhatsApp CLI skill, but it can send messages and sync/search WhatsApp history from your account, so use it only with clear approval.
Install only if you trust the wacli CLI and want Claw to help with WhatsApp sending or history search. Before sending, verify the recipient and message. Before syncing, understand that WhatsApp history may be stored under ~/.wacli or another store path you choose.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If misused, the agent could send an unintended WhatsApp message or file from the user's account.
The skill can send WhatsApp messages, which is a high-impact external action, but it explicitly requires recipient/message details and confirmation before sending.
Safety - Require explicit recipient + message text. - Confirm recipient + message before sending.
Approve sends only after verifying the exact recipient, message text, and any attached file.
The CLI may operate with the user's WhatsApp identity and access account messages after authentication.
Using QR login links the CLI to the user's WhatsApp account, which is expected for the skill but grants account-level messaging and history access.
Auth + sync - `wacli auth` (QR login + initial sync)
Authenticate only on a trusted machine, review wacli's permissions/session behavior, and revoke or remove the session if no longer needed.
Private WhatsApp history may be stored locally and become searchable by the agent when the user asks.
The skill documents continuous synchronization and local storage of WhatsApp data, which can retain private chat history for future search/use.
- `wacli sync --follow` (continuous sync) ... - Store dir: `~/.wacli` (override with `--store`).
Use sync only when needed, consider a dedicated `--store` location, and periodically delete or protect stored chat data.
The behavior ultimately depends on the installed wacli binary and its supply chain, not just this instruction file.
The skill relies on an external CLI installed from a Homebrew tap or an unpinned Go module version; no local executable code is included in the reviewed artifacts.
brew formula: steipete/tap/wacli ... go module: github.com/steipete/wacli/cmd/wacli@latest
Install wacli from the official project source, prefer pinned/reviewed versions where possible, and keep the binary updated from trusted channels.