ClawHub

SEA WhatsApp Business Bot

Security checks across malware telemetry and agentic risk

Overview

This skill discloses paid use, but its runnable endpoint appears to charge by user ID before any clear consent or WhatsApp bot work is shown.

Review before installing. Only use this if you understand and accept the per-call SkillPay billing model, can verify who controls the hosted Worker, and can ensure users explicitly consent before any charge. Treat repeated or automated calls as risky until authentication, consent logging, and billing dispute handling are documented.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (7)

Lp3

Medium
Category
MCP Least Privilege
Confidence
90% confidence
Finding
The skill instructs the agent to make a network request to an external billing endpoint, yet no corresponding permission or capability declaration is surfaced beyond a generic env requirement. Hidden network behavior reduces transparency and weakens least-privilege review, especially because the endpoint can receive user-linked data and trigger side effects.

Tp4

High
Category
MCP Tool Poisoning
Confidence
98% confidence
Finding
The skill is advertised as a WhatsApp business auto-responder, but the only concrete operational step is charging users through an external payment endpoint. This mismatch is dangerous because users and reviewers may authorize or invoke the skill expecting messaging assistance, while the real implemented behavior performs billing and data transfer instead.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The file’s behavior materially differs from the declared purpose: instead of implementing any WhatsApp bot functionality, it accepts a user_id and attempts to bill the user via an external payment mechanism. That mismatch is a strong indicator of deceptive functionality, because users or integrators expecting messaging automation could unknowingly invoke a charge endpoint instead.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
Charging users is not inherently unsafe, but here it is not justified by the stated auto-responder functionality and occurs as the main action of the endpoint. In context, this looks like unauthorized or misleading monetization, which can lead to fraudulent charges, user harm, and platform abuse.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The workflow makes payment authorization the first step and states that a successful call returns `charged: true`, but it does not require a clear pre-charge warning or explicit user confirmation at invocation time. This creates a risk of unauthorized or surprising charges, which is especially severe because the billing action occurs before any useful bot functionality is performed.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill directs sending `user_id` to an external endpoint and implies broader conversation handling, yet it does not provide a privacy notice about transmitting identifiers or potentially customer message data off-platform. In a WhatsApp/business-customer context, this can expose personal or commercially sensitive information without adequate disclosure or consent.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The endpoint triggers a billing attempt immediately after receiving a user_id, with no evidence of confirmation, authorization, or anti-abuse checks in this file. Even if some consent exists elsewhere, this implementation is dangerous because it makes accidental or scripted charging easy and provides no local enforcement of user acknowledgment.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal