Whats 1.0.0
ReviewAudited by ClawScan on May 10, 2026.
Overview
This is a disclosed WhatsApp CLI wrapper, but it can log into WhatsApp, send messages/files, and store or sync message history, so users should approve those actions carefully.
This skill appears purpose-aligned and not malicious from the provided artifacts. Before installing, understand that it uses an external wacli program, requires WhatsApp QR login for sync/search/send features, can store message history locally, and should only send messages after you verify and approve the recipient, content, and attachments.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If used incorrectly, the agent could send a WhatsApp message or file to the wrong person, but the instructions require confirmation to reduce that risk.
The skill can send WhatsApp messages, including files and group messages, but it explicitly requires user-provided details and confirmation before sending.
Safety - Require explicit recipient + message text. - Confirm recipient + message before sending. - If anything is ambiguous, ask a clarifying question.
Only approve sends after checking the recipient, message text, attachments, and whether the chat is a direct message or group.
The CLI may gain access to send messages and read/sync WhatsApp history under the user's account.
QR login gives the CLI delegated access to the user's WhatsApp account, which is expected for this integration but sensitive.
Auth + sync - `wacli auth` (QR login + initial sync)
Authenticate only if you trust the wacli installation source, and revoke the WhatsApp linked-device/session access if you no longer use it.
Private WhatsApp conversations may be stored locally and made searchable for future agent tasks.
The skill discloses continuous WhatsApp history sync and a persistent local store, which can contain private message history used for later search.
Auth + sync - `wacli sync --follow` (continuous sync) ... Notes - Store dir: `~/.wacli` (override with `--store`).
Use sync only when needed, consider a scoped store path with --store, and review or delete the local ~/.wacli data when appropriate.
The installed CLI version may change over time, and its behavior is not visible in the provided skill artifacts.
The executable code is installed from external package sources, and the Go install target uses @latest rather than a pinned version.
brew | formula: steipete/tap/wacli ... go | module: github.com/steipete/wacli/cmd/wacli@latest
Install from a trusted source, consider pinning or reviewing the wacli version, and keep the CLI updated through normal trusted package channels.