ClawHub

WhatsApp Business Automation by WhatsAble

Security checks across malware telemetry and agentic risk

Overview

This WhatsApp automation skill is mostly coherent, but it needs review because it can send messages, read customer conversations, expose secrets, and use documented backend endpoints with weak authorization controls.

Install only for a trusted Notifyer workspace and only with tokens from an account that is allowed to send customer messages and administer automation. Treat the JWT, Developer API key, webhook signature secrets, exported analytics, and conversation logs as sensitive; avoid shared terminals and logs. Review destructive actions, bulk broadcasts, webhooks, bot deletes, and team changes manually, and avoid using the documented public/weakly authorized raw endpoints until the backend authorization issues are fixed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (24)

Lp3

Medium
Category
MCP Least Privilege
Confidence
96% confidence
Finding
The skill documentation describes scripts that require environment variables containing sensitive credentials and perform outbound network requests, but no explicit permissions are declared. This creates a trust and review gap: an agent platform or user may not realize the skill can access secrets and communicate with external APIs, increasing the risk of unintended credential exposure or unauthorized data transmission.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The document explicitly states that `POST /ai_config/files` is a public endpoint with no authentication gate, yet it creates and stores uploaded attachments. An unauthenticated upload surface can be abused for arbitrary file hosting, storage exhaustion, malware staging, and insertion of attacker-controlled content into later bot knowledge workflows.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The reference says listing bots returns all workspace `bot_config` records and is not filtered by the calling user. Because bot records contain sensitive fields such as `system_prompt`, `knowledge_base`, `file_texts`, and `openai_assistant_id`, this enables overbroad data exposure to authenticated users who may not need access to all bot configurations.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The delete endpoint is documented as having no ownership check, allowing any authenticated user to delete any bot by ID. This is a classic insecure direct object reference / broken access control issue that can lead to unauthorized destruction of bot configurations and service disruption across a workspace.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The documentation explicitly states that DELETE /broadcast/{broadcast_id} does not call /get_user and that authentication relies only on a CORS origin check. CORS is not an authentication control, so a direct HTTP client can invoke this destructive endpoint and delete broadcast records and associated recipient data if the broadcast ID is known or guessable.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The reference shows an Authorization header but then states the endpoint does not actually authenticate the caller. This mismatch is dangerous because integrators may assume the operation is protected when it is not, leading to accidental exposure of a destructive action.

Intent-Code Divergence

High
Confidence
99% confidence
Finding
The documentation explicitly states that the dev webhook delete endpoint is public and protected only by a CORS origin check, with no user authentication or ownership validation. CORS is not an authorization control, so an attacker who can issue direct HTTP requests can potentially delete arbitrary webhook records by ID, causing unauthorized destructive actions across users.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The script explicitly documents and implements direct retrieval of any bot by numeric ID without enforcing ownership or workspace-scoped authorization beyond possession of a bearer token. Because bot records include highly sensitive fields such as system prompts, knowledge base contents, trigger keywords, and assistant IDs, this enables insecure direct object reference style access and can expose proprietary AI behavior or internal operational data to unauthorized authenticated users.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The README explicitly instructs users to pass a password on the command line and export a JWT token into the environment, but does not warn that both may be exposed through shell history, process listings, logs, screenshots, or shared terminals. In an agent-driven setting, this is more dangerous because agents may echo commands, store transcripts, or persist environment state, increasing the chance of credential leakage.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The README documents retrieval and use of the Developer API key without clearly warning that this credential grants downstream integration access and should be treated like a secret. If exposed, an attacker could abuse external automation surfaces, trigger actions, or access data through connected tools such as Make, Zapier, or n8n.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The README encourages reading full conversation history and notes, including customer messages and manual/AI-generated notes, without a privacy or authorization warning. In a customer-support messaging context this data is likely sensitive personal or business information, so normalizing unrestricted access by agents raises privacy, compliance, and insider-misuse risk.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The manifest advertises bulk broadcasts, analytics retrieval, and webhook management without any user-facing disclosure of privacy implications, external data transmission, or operational impact. In an automation skill that can message users at scale and exfiltrate event data to third-party webhook endpoints, omission of these safeguards increases the risk of misuse, unintended data sharing, and non-compliant deployments.

Natural-Language Policy Violations

Medium
Confidence
93% confidence
Finding
The description explicitly enables bulk WhatsApp broadcast campaigns but does not mention consent, opt-in requirements, recipient eligibility, or anti-spam safeguards. In the context of a WhatsApp business automation skill, this omission is more dangerous because the skill is purpose-built for large-scale outbound messaging, which can be abused for spam, policy violations, or unauthorized contact of recipients.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The documentation explicitly instructs users how to export message-level analytics and raw CSV records, which likely contain message bodies, phone numbers, timestamps, and status metadata, but provides no privacy, minimization, retention, or access-control warning. In a WhatsApp business messaging context, this increases the likelihood of oversharing regulated or sensitive communications data through scripts, local files, and downstream processing pipelines.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The markdown describes uploads whose metadata shows `access: "public"` and also stores extracted file contents in `file_texts`, but it does not warn about confidentiality risks. Users may upload sensitive documents expecting private AI processing, while the implementation appears to make attachments publicly accessible and persist extracted text for later retrieval.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
This documentation exposes a destructive delete operation without a prominent warning that it lacks real authentication and performs irreversible cascade deletion of recipients and broadcasts. In an agent skill context, weakly warned destructive tools are more dangerous because an agent or integrator may invoke them under false assumptions of safety.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The documentation describes a destructive public delete endpoint and normalizes its use without a strong security warning or mitigation guidance, despite acknowledging the absence of authentication. In a skill context that may drive agent actions, this can encourage unsafe invocation of a fundamentally insecure operation and obscure the seriousness of unauthorized deletion risk.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The documentation instructs users to store and use a raw JWT from an environment variable and explicitly notes that the same token works across multiple auth modes, but it provides no warning about secret handling, logging, shell history exposure, or token rotation. In a skill that can read conversations, send messages, manage labels, notes, and bot handoff, compromise of this token would grant substantial access to live WhatsApp business operations and customer data.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The manifest describes capabilities that can directly affect real-world communications—sending messages, scheduling outreach, changing bot/human handoff, and managing live conversations—without any user-facing warning about irreversible actions, consent, or operational risk. In an agentic context, this increases the chance of unintended messaging, unauthorized customer contact, or disruption of support workflows if the skill is invoked incorrectly or overly broadly.

Missing User Warnings

Low
Confidence
76% confidence
Finding
The manifest requires a JWT API token for all API calls but provides no guidance that this credential is sensitive, should be stored securely, and must never be exposed in logs, prompts, or client-side contexts. Because this skill operates messaging and chat functions, compromise of the token could enable unauthorized access to conversations and message-sending actions.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The document describes a retrievable, long-lived workspace API key and includes workflows that print or return the raw secret value, while also stating there is no rotation/regeneration mechanism. In an agent-skill context, this materially increases the risk of credential disclosure through logs, terminal history, screenshots, copied outputs, or downstream tool chaining, and any exposed key can grant durable API access until the workspace is replaced.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The documentation explicitly instructs creation of full user accounts with a supplied password and says to share those credentials out-of-band. This normalizes insecure credential provisioning, increases the chance of password disclosure, reuse, interception, or logging in scripts and chat transcripts, and bypasses safer invitation or password-set flows.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The script fetches a long-lived workspace Developer API key and, when `--pretty` is used, prints the raw secret directly to stderr along with usage guidance. This increases the chance of accidental exposure through terminal scrollback, shell history capture, CI/CD logs, session recording, or other logging/observability pipelines, especially because the key appears to be non-rotatable and can authenticate developer-facing API calls.

Tool Parameter Abuse

High
Category
Tool Misuse
Content
---

### `DELETE /broadcast/{broadcast_id}` — Delete a scheduled broadcast

> No script provided. Documented for completeness.
Confidence
94% confidence
Finding
DELETE /broadcast/{broadcast_id}`

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal