ClawHub

SocialEpoch WhatsApp SCRM API

Security checks across malware telemetry and agentic risk

Overview

This WhatsApp automation skill has legitimate messaging features, but it also downloads and runs a local client, changes local OpenClaw settings, and stores credentials with insufficient disclosure.

Install only if you trust SocialEpoch and are comfortable with a downloaded native receiver client running locally. Use limited-scope test credentials first, review callback destinations carefully, and expect local files and OpenClaw settings to be changed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (26)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
pip_args.extend(["--user", "--break-system-packages"])

    try:
        subprocess.check_call(
            pip_args,
            stdout=subprocess.DEVNULL,
            stderr=subprocess.DEVNULL
Confidence
95% confidence
Finding
subprocess.check_call( pip_args, stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL )

subprocess module call

Medium
Category
Dangerous Code Execution
Content
if os.name == "nt":
            startupinfo = subprocess.STARTUPINFO()
            startupinfo.dwFlags |= subprocess.STARTF_USESHOWWINDOW
            subprocess.call(
                ["taskkill", "/f", "/im", CLIENT_NAME],
                stdout=subprocess.PIPE,
                stderr=subprocess.PIPE,
Confidence
89% confidence
Finding
subprocess.call( ["taskkill", "/f", "/im", CLIENT_NAME], stdout=subprocess.PIPE, stderr=subprocess.PIPE, startupinfo=startup

subprocess module call

Medium
Category
Dangerous Code Execution
Content
startupinfo=startupinfo
            )
        else:
            subprocess.call(
                ["pkill", "-f", CLIENT_PATH],
                stdout=subprocess.PIPE,
                stderr=subprocess.PIPE
Confidence
92% confidence
Finding
subprocess.call( ["pkill", "-f", CLIENT_PATH], stdout=subprocess.PIPE, stderr=subprocess.PIPE )

subprocess module call

Medium
Category
Dangerous Code Execution
Content
def start_client_process():
    try:
        if os.name == "nt":
            subprocess.Popen(
                [CLIENT_PATH],
                creationflags=subprocess.CREATE_NO_WINDOW,
                close_fds=True
Confidence
98% confidence
Finding
subprocess.Popen( [CLIENT_PATH], creationflags=subprocess.CREATE_NO_WINDOW, close_fds=True )

subprocess module call

Medium
Category
Dangerous Code Execution
Content
close_fds=True
            )
        else:
            subprocess.Popen(
                [CLIENT_PATH],
                close_fds=True,
                stdout=subprocess.DEVNULL,
Confidence
98% confidence
Finding
subprocess.Popen( [CLIENT_PATH], close_fds=True, stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL )

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill declares no permissions while the documentation and launcher metadata indicate access to environment variables, local files, network operations, and shell/Python execution. This creates a transparency and consent gap: users and hosting platforms may not understand the skill's actual capabilities, which is especially risky for a messaging tool that handles API keys, local configuration, and external communications.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
The documented purpose is WhatsApp messaging automation, but the described behavior extends to downloading and executing external binaries, modifying local gateway configuration, killing/restarting processes, opening dashboards, and auto-installing dependencies. That mismatch is dangerous because users may authorize a messaging integration without realizing it can materially change the local environment and execute newly fetched code, increasing supply-chain and local compromise risk.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The skill performs local package installation and system modification beyond the stated scope of a WhatsApp SCRM API wrapper. That mismatch increases risk because users expect API calls, not host environment changes, and hidden installation behavior can be abused or cause system instability.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The script downloads a native executable from the internet, stores it locally, and later executes it, but the manifest does not clearly disclose that behavior. This is extremely dangerous because it creates an unverified remote-code-execution path on the user's machine under the guise of an API integration.

Context-Inappropriate Capability

Low
Confidence
83% confidence
Finding
The code opens the user's browser and inspects local network configuration to derive a LAN URL, which is tangential to the stated API purpose. Although lower severity than the binary execution issues, it still performs unexpected local actions and exposes local service access details that users may not want surfaced automatically.

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The comments claim the dashboard action is 'Safe, no virus, no permission required' despite code that opens a browser and inspects network state. Such reassurance language is a red flag because it attempts to preempt scrutiny while the script performs nontrivial local actions outside a simple API call pattern.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The auto message receiver commands describe starting and resetting a receiver service, but do not clearly warn that this may create ongoing/background message handling. In the context of a communication platform, background receipt can expose message content, metadata, and operational state beyond what a user expects from a manually triggered tool.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The callback configuration allows message and status callback URLs to be set without warning that chat content, delivery metadata, or identifiers may be sent to external endpoints. In a WhatsApp SCRM context, this is particularly sensitive because callbacks can expose customer communications and operational metadata to third-party servers.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The README presents natural-language setup commands like "set config ..." without any required prefix, namespace, or confirmation boundary. In an agent environment, overly broad activation phrases can be triggered unintentionally by ordinary user text, causing configuration changes or sensitive operations to run when the user did not explicitly intend to invoke the skill.

Vague Triggers

Medium
Confidence
87% confidence
Finding
Saying the skill "supports natural language instructions" without clearly defining the accepted grammar or invocation boundary makes it unclear what user input may activate privileged actions. In a messaging/automation skill, this ambiguity increases the risk of accidental execution of send, receive, or management operations from normal conversation.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The listed commands include generic phrases such as starting receivers, checking status, or sending messages using plain natural language, with no scoping constraints. Because this skill manages WhatsApp messaging, callbacks, and operational controls, ambiguous everyday phrasing could lead to unintended outbound messages, service changes, or data-handling actions.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The README promotes automatic message reception, AI auto-reply, dashboard access, and callback handling without warning that these features process customer communications and potentially sensitive personal data. In a customer-service and marketing context, lack of privacy guidance can lead users to enable continuous collection, storage, and automated processing without considering consent, retention, access control, or regulatory obligations.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The configuration steps instruct users to pass tenant IDs and API keys directly on the command line and in natural-language examples, but provide no warning about shell history, process listings, screenshots, or chat logs exposing secrets. This can result in credential leakage and unauthorized access to the WhatsApp SCRM account and associated customer messaging operations.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The script silently installs requests via pip, suppressing stdout and stderr and giving the user no opportunity to review or deny the change. Silent package installation is risky because it modifies the runtime environment and fetches code from external package sources without informed consent.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The gateway setup rewrites local configuration files automatically and suppresses exceptions, which hides side effects from the user. Undisclosed configuration changes can alter host behavior persistently and are especially concerning in a skill whose advertised function is external messaging automation.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
This flow forcibly kills an existing client process without warning. Unexpected process termination is a harmful side effect that can interrupt active work or affect unrelated processes if identification is imprecise.

Missing User Warnings

High
Confidence
99% confidence
Finding
The script downloads an executable and writes it to disk with no user-facing warning and no integrity verification. This is a high-risk supply-chain and remote-execution precursor because a compromised server or network path can deliver malicious code that the tool later runs.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The skill silently launches a local executable in the background, hiding console output and making the action less visible to the user. In context, because that binary may have just been downloaded, this is effectively stealthy execution of externally sourced code.

Missing User Warnings

High
Confidence
98% confidence
Finding
Saving configuration writes API credentials to disk and immediately triggers force-reset behavior that modifies config, kills processes, downloads software, and starts a client. Combining secret persistence with undisclosed repair actions creates a dangerous surprise side-effect chain far beyond simple credential setup.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The trigger list is unusually broad and includes many generic operational phrases such as 'Open Dashboard', 'Set config', 'Send image', and 'whatsapp', which can cause the skill to activate for ordinary user requests unrelated to this specific integration. In a skill with network and config permissions that can send messages and alter callback/receiver behavior, overbroad invocation increases the risk of unintended execution, misrouting user intent, or accidental access to sensitive configuration-driven actions.

VirusTotal

VirusTotal engine telemetry is currently stale for this artifact.

View on VirusTotal