ClawHub

WhatsApp cloud api reference

Security checks across malware telemetry and agentic risk

Overview

This is mostly a legitimate WhatsApp Cloud API reference, but one validation helper can send a real message while presenting itself as a registration check.

Review before installing. Do not use the probe-by-message registration helper; use the documented contacts lookup or your own opt-in records instead. Protect Meta System User tokens in a secret manager, avoid logging message contents or full phone numbers, secure webhook handling, and send messages only to opted-in recipients.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The example claims to check whether a number is registered on WhatsApp, but it actually sends a real message via the `/messages` endpoint with body `_`. That can contact users without intent or consent, create compliance/privacy issues, and trigger real business messaging side effects such as charges, spam complaints, or opening an unintended conversation flow.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The webhook examples log sender phone numbers and message text directly to console, which can expose personal data in application logs. In real deployments, logs are often centralized, retained, and accessible to operators, making this a practical privacy and data-minimization issue.

External Transmission

Medium
Category
Data Exfiltration
Content
"text": {"body": "_"}  # minimal text to check
    }
    try:
        r = requests.post(
            f"https://graph.facebook.com/v21.0/{phone_id}/messages",
            headers=headers,
            json=data,
Confidence
98% confidence
Finding
requests.post( f"https://graph.facebook.com/v21.0/{phone_id}/messages", headers=headers, json=

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal