Wa Relay

Security checks across malware telemetry and agentic risk

Overview

This WhatsApp relay is mostly transparent and purpose-aligned, but it deserves Review because setup copies main-agent credentials and patches core OpenClaw files.

Install only if you are comfortable with a relay agent receiving non-allowlisted WhatsApp messages, using copied model-provider credentials, and temporarily patching OpenClaw internals. Prefer a separate least-privilege auth profile for the relay, back up SOUL.md and gateway config first, review the generated bindings before applying them, and remove or rotate copied credentials if you later uninstall the relay.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (9)

Tp4

High

Category: MCP Tool Poisoning
Confidence: 95% confidence
Finding: The skill's top-level description presents it as a WhatsApp relay, but the document discloses materially broader and more privileged behavior: copying authentication credentials, patching installed OpenClaw distribution files, and modifying the main agent's SOUL.md. Even if these actions are described later, the manifest-level mismatch is security-relevant because users and automated tooling may grant trust based on the narrower description and miss invasive setup steps.

Context-Inappropriate Capability

Medium

Confidence: 97% confidence
Finding: Sharing the main agent's auth-profiles.json with a separate relay agent expands the trust boundary and gives the relay access to provider credentials that may permit broader actions than simple message forwarding. If the relay agent is compromised, misconfigured, or behaves unexpectedly, the attacker can inherit the main agent's authenticated capabilities and potentially access models, APIs, or billing under the owner's account.

Context-Inappropriate Capability

Medium

Confidence: 94% confidence
Finding: Patching OpenClaw distribution files to relax SAFE_SESSION_ID_RE is an invasive change to host security controls and can have effects beyond this skill. Weakening session ID validation may allow malformed or attacker-controlled identifiers to be accepted, increasing the risk of routing confusion, collisions, unsafe parsing, or future injection-style issues elsewhere in the platform.

Description-Behavior Mismatch

Medium

Confidence: 93% confidence
Finding: The manifest description omits that installation modifies the host OpenClaw installation and the main agent's configuration/instruction files. This under-disclosure is dangerous because operators, reviewers, or policy engines may assess the skill as a simple relay while it actually performs privileged and persistent host changes.

Context-Inappropriate Capability

Medium

Confidence: 89% confidence
Finding: The guide instructs users to patch OpenClaw internals under node_modules and alter SAFE_SESSION_ID_RE, which expands trusted behavior at the platform level for a skill whose stated purpose is message relaying. Modifying core validation logic can weaken security boundaries, create upgrade fragility, and introduce unexpected acceptance of session identifiers or paths beyond the intended scope.

Intent-Code Divergence

Medium

Confidence: 86% confidence
Finding: The script presents the generated JSON as something the agent can apply directly, but the output only contains the new bindings set and the notes acknowledge that the bindings array replaces existing bindings. In this skill’s context, that can silently remove prior routing or security-relevant bindings and cause misdelivery, denial of service for other channels, or unintended message flow changes when an operator follows the advertised one-step apply path.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The guide tells users to copy auth-profiles.json from the main workspace into the relay workspace without warning that it likely contains sensitive authentication material. Duplicating credentials increases exposure, broadens the blast radius if the relay workspace is compromised, and undermines separation between the main and relay agents.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The instructions tell users to patch installed files under ~/.openclaw/node_modules without any warning about integrity, maintenance, or rollback risk beyond a later brief revert note. Directly editing installed dependencies can break supply-chain assumptions, complicate updates, and leave users running a locally modified platform state that is hard to audit.

Missing User Warnings

Medium

Confidence: 81% confidence
Finding: The script writes configuration data containing phone numbers and routing information to a predictable file in /tmp without warning or permission controls. On multi-user systems, temporary directories are shared and operational data may be exposed through weak file handling, log collection, backup tooling, or accidental discovery, making this an unnecessary privacy and configuration leakage risk.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal