ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

WAHA Onboarding

v0.1.0

Onboard a new user to WhatsApp via WAHA—greet them, collect and sanitize their phone number, create/start a WAHA session, request and share a pairing code, v...

0· 100·0 current·0 all-time
by@lotfinity

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for lotfinity/waha-onboarding.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "WAHA Onboarding" (lotfinity/waha-onboarding) from ClawHub.
Skill page: https://clawhub.ai/lotfinity/waha-onboarding
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install waha-onboarding

ClawHub CLI

Package manager switcher

npx clawhub@latest install waha-onboarding
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The SKILL.md describes WhatsApp onboarding via WAHA, which legitimately requires calling a WAHA client. However the skill metadata declares no required binaries, no install spec, and no environment variables, while the instructions repeatedly run 'waha-cli' commands. The dependency on a local CLI (and any credentials/config that CLI uses) is expected for this purpose but is not declared in the manifest — an inconsistency.
Instruction Scope
The instructions stick to a clear onboarding flow: collect and sanitize a phone number, create/start a session, request a pairing code, and verify auth. They only reference the user's provided phone number and the 'waha-cli' commands; they do not instruct reading arbitrary files or unrelated environment variables.
Install Mechanism
This is instruction-only and contains no install specification or downloads, which minimizes direct install risk. The runtime does execute shell commands (waha-cli), but no install step is defined by the skill itself.
!
Credentials
The skill declares no required environment variables or binaries, yet the runtime instructions require 'waha-cli' to be present and likely rely on whatever local authentication/configuration that CLI uses. The skill does not declare this dependency or any credentials it might consume, which is disproportionate and opaque — you don't know what local secrets/config the CLI will access when invoked.
Persistence & Privilege
The skill is not always-on and does not request persistent or elevated platform privileges in the metadata. Nothing in SKILL.md attempts to alter other skills or system-wide settings.
What to consider before installing
This skill appears to do what it says (onboard WhatsApp via WAHA) but its manifest omits that it needs a local 'waha-cli' binary and any credentials/config that binary might use. Before installing or enabling it: 1) verify where 'waha-cli' comes from and whether you trust that software; 2) confirm whether the CLI will access stored credentials or create network connections and review those policies; 3) test the flow in a safe environment (sandbox or VM) to observe what files/network calls the CLI performs; 4) require explicit user consent before running the CLI commands that will create sessions or share pairing codes; and 5) ask the skill author/maintainer to update the manifest to declare the required binary and any environment/config dependencies. If you cannot verify the origin and behavior of 'waha-cli', avoid running this skill on sensitive systems.

Like a lobster shell, security has layers — review code before you run it.

latestvk978psvbhcpjmhjaz6exemk6nd83r4rg
100downloads
0stars
1versions
Updated 1mo ago
v0.1.0
MIT-0
@lotfinity
latest
Download

WAHA Onboarding Skill

Use this skill when a user wants to connect their WhatsApp account through WAHA.

Onboarding flow

1) Collect phone number

Ask for the user’s WhatsApp number including country code.

Example prompt:

"👋 I can connect your WhatsApp. Send your phone number with country code (digits only if possible), for example 905380546393."

2) Sanitize number and derive session name

  • Strip all non-digit characters from the input.
  • Use sanitized value as <phonenumber>.
  • Session name format: user-<phonenumber>.

3) Create and start WAHA session

Run:

waha-cli waha-create-session --name user-<phonenumber>
sleep 5
waha-cli waha-start-session --session user-<phonenumber>

4) Request pairing code

Run:

sleep 5
waha-cli waha-request-pairing-code --session user-<phonenumber> --phone-number <phonenumber>

5) Share pairing instructions

Send the returned code and tell user:

  1. Open WhatsApp → Linked Devices
  2. Tap Link a Device
  3. Tap Link with phone number instead
  4. Enter the pairing code

6) Verify authentication after user confirms

Run:

waha-cli waha-check-auth-status --session user-<phonenumber>
  • If status is WORKING: onboarding succeeded.
  • Otherwise: run fallback.

7) Confirm success and offer next actions

Offer:

  • recent conversations
  • contacts
  • messages from a specific chat

Fallback (if not WORKING)

Restart and issue a fresh code:

waha-cli waha-start-session --session user-<phonenumber>
sleep 8
waha-cli waha-request-pairing-code --session user-<phonenumber> --phone-number <phonenumber>

Then ask user to retry from WhatsApp Linked Devices.

Naming and ID conventions

  • WAHA session: user-<phonenumber>
  • Direct chat id convention: <phonenumber>@c.us

Comments

Loading comments...