ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Wa Relay

v0.2.1

WhatsApp message relay for OpenClaw v0.2.0. Routes third-party DMs to a relay agent that forwards them to the main agent via sessions_send. The main agent no...

0· 809·0 current·0 all-time
by@zarruk

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for zarruk/wa-relay-skill.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Wa Relay" (zarruk/wa-relay-skill) from ClawHub.
Skill page: https://clawhub.ai/zarruk/wa-relay-skill
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Canonical install target

openclaw skills install zarruk/wa-relay-skill

ClawHub CLI

Package manager switcher

npx clawhub@latest install wa-relay-skill
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
The scripts, README, and config generation align with a WhatsApp relay: creating a relay workspace, routing config, and adding a relay-handling section to the main agent. The files requested and produced match the stated purpose.
Instruction Scope
SKILL.md and scripts explicitly instruct the agent to create a relay workspace, append a relay section to the main agent's SOUL.md, copy auth-profiles.json from the main agent to the relay, and patch OpenClaw dist files to relax the session-id regex. These actions are in-scope for enabling the relay but grant the skill broad file-system modification authority (modifying other agent files and core dist files). The scripts do prompt for confirmation and produce .bak files for patched files.
Install Mechanism
No external installers or downloads are used; this is an instruction-only skill with local shell scripts. That reduces supply-chain risk, but scripts will modify local OpenClaw installation files.
!
Credentials
The skill does not require environment variables but reads and copies a sensitive file (~/.openclaw/agents/main/agent/auth-profiles.json) containing model-provider credentials. Copying these credentials to the relay is functionally necessary for the relay to authenticate, but it increases the attack surface because the relay gains the same credentials as the main agent. The credential access is not declared in metadata and is a significant privilege escalation in practice.
!
Persistence & Privilege
The scripts modify other agent state (main agent SOUL.md) and patch OpenClaw's node_modules/dist files to change a core regex. Those are persistent, system-scoped changes. The scripts create backups and ask for confirmation, but these modifications give the skill permanent changes to the runtime and to other agents' configuration.
Assessment
This skill appears to be what it says, but it performs sensitive local actions. Before installing: 1) Inspect auth-profiles.json contents and consider creating or using a dedicated, limited-scope credential for the relay (do not blindly copy full admin/owner credentials). 2) Backup your OpenClaw installation and the main agent workspace (SOUL.md and auth files). 3) Review and, if desired, run the setup script step-by-step rather than letting it auto-patch: decline the credential copy and patch prompts and perform changes manually if you prefer. 4) After applying, verify .bak backups exist and that you can revert the regex patch once upstream PR #16531 is merged; remove copied credentials when no longer required. 5) Run in a test environment first and limit filesystem permissions on the relay workspace. If you are uncomfortable giving the relay full credential access or allowing scripts to patch node_modules, do not install; instead implement routing manually or use credentials scoped specifically for the relay.

Like a lobster shell, security has layers — review code before you run it.

latestvk972dxb278df4k1wkr7gab1ttx8191hh
809downloads
0stars
5versions
Updated 4h ago
v0.2.1
MIT-0
@zarruk
latest
Download

wa-relay v0.2.0

Routes third-party WhatsApp DMs through a relay agent that forwards messages to the main agent via sessions_send. The main agent notifies the owner and proposes a response.

How It Works

  1. Third-party sends a WhatsApp message
  2. Relay agent receives it, forwards via sessions_send to the main agent session, and responds NO_REPLY (nothing sent back to the sender)
  3. Main agent receives the inter-session message, notifies the owner on WhatsApp with the message and a suggested response
  4. Owner decides: use the suggestion, modify it, or write something else
  5. Main agent sends the response to the third party

Direct number allowlist

Numbers in the allowlist bypass the relay entirely and go straight to the main agent (same as the owner).

Setup

  1. Run scripts/setup.sh <owner-phone-number> — creates relay workspace, patches main agent SOUL.md
  2. Run scripts/configure.sh <owner-phone-number> [direct-numbers] — generates routing config
  3. Apply the generated config (see references/SETUP.md)

Requirements

  • OpenClaw v2026.2.14+ with WhatsApp channel configured
  • Owner's phone number in international format (e.g. +573001234567)

Security Notes

This skill performs two actions that require elevated access. Both are necessary for multi-agent WhatsApp routing to work and are explained here for transparency:

1. Auth credential sharing

The setup script copies auth-profiles.json from the main agent to the relay agent. This is required because OpenClaw agents have isolated auth — without shared credentials, the relay agent cannot authenticate with any model provider and will silently fail. The script asks for confirmation before copying.

2. Session ID regex patch (temporary)

OpenClaw's session ID validator rejects : and + characters that WhatsApp phone-number routing generates (e.g. agent:wa-relay:whatsapp:+15551234567). The setup script patches the SAFE_SESSION_ID_RE regex in OpenClaw's dist files to allow these characters. This is a known bug (openclaw/openclaw#16211) with an open fix (PR #16531). Once merged, this patch becomes unnecessary and can be reverted. The script creates .bak backups and asks for confirmation before patching.

3. Main agent SOUL.md modification

The setup script appends a "Relay de WhatsApp" section to the main agent's SOUL.md so it knows how to handle forwarded messages. Review the added section after setup.

Comments

Loading comments...