WhatsApp Number Checker

Security checks across malware telemetry and agentic risk

Overview

This instruction-only skill does what it says by checking WhatsApp registration through a disclosed external API, with privacy caveats around submitted phone numbers.

Install only if you are comfortable sending checked phone numbers to wa-check-api.whatsabot.com or the configured MCP service. Use it only for numbers you are authorized to check, protect the API key, and avoid bulk or surveillance-style lookups.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

High

Confidence: 94% confidence
Finding: The skill instructs the agent to send phone numbers to an external API service but does not warn the user that their phone number data will leave the local system and be processed by a third party. Because phone numbers are personal data, silent transmission can create privacy, compliance, and trust risks, especially if users did not explicitly consent to external sharing.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The API documentation instructs clients to send phone numbers to an external service to determine WhatsApp registration status, but it does not warn users that this transfers personal data to a third party for account-enumeration-style checks. This omission can lead to privacy, consent, and compliance issues, especially because phone numbers are sensitive identifiers and the feature is explicitly designed to verify presence on a communications platform.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal