Trust Assessment
wacli received a trust score of 65/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 4 findings: 0 critical, 2 high, 2 medium, and 0 low severity. Key findings include Potential Data Exfiltration via `wacli send file`, Potential Command Injection via `wacli` arguments, Unpinned Go Module Dependency.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 56/100, indicating areas for improvement.
Last analyzed on February 12, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings4
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Potential Data Exfiltration via `wacli send file` The skill allows sending arbitrary files from the agent's filesystem to external WhatsApp numbers using `wacli send file --file /path/to/file`. If the `/path/to/file` argument is derived from untrusted user input, an attacker could instruct the agent to exfiltrate sensitive files (e.g., `/etc/passwd`, `~/.ssh/id_rsa`, configuration files, environment variables if accessible as files) to an attacker-controlled WhatsApp number. Implement strict validation and sanitization of the `--file` argument to ensure it only points to allowed, non-sensitive files or directories. Consider restricting file sending capabilities to a predefined set of safe files or requiring explicit user confirmation for each file path before execution. | LLM | SKILL.md:32 | |
| HIGH | Potential Command Injection via `wacli` arguments The skill executes `wacli` commands with arguments that can be derived from user input (e.g., `--message`, `--query`, `--to`). If these arguments are not properly sanitized and escaped before being passed to the shell, an attacker could inject arbitrary shell commands. For example, a malicious message like `"; rm -rf /"` could lead to arbitrary code execution. Ensure all user-provided input used as arguments to `wacli` commands is strictly validated and properly escaped for shell execution. Use a safe command execution mechanism that prevents shell injection (e.g., passing arguments as a list to `subprocess.run` in Python, rather than a single string). | LLM | SKILL.md:26 | |
| MEDIUM | Unpinned Go Module Dependency The Go module dependency `github.com/steipete/wacli/cmd/wacli@latest` is unpinned. Using `@latest` means that the exact version of the dependency is not fixed, allowing it to change without explicit review. This introduces a supply chain risk, as a malicious update to the `wacli` module could be automatically pulled in, compromising the skill. Pin the Go module dependency to a specific, immutable version (e.g., a commit hash or a semantic version tag like `@v1.2.3`) to ensure deterministic builds and prevent unexpected changes. Regularly review and update pinned dependencies. | LLM | SKILL.md:1 | |
| MEDIUM | Broad Access to WhatsApp Data and Messaging The `wacli` tool provides broad capabilities including sending messages, syncing history, and searching chats. While the skill includes safety instructions for the LLM, the underlying tool grants extensive access to a user's WhatsApp account. If the LLM misinterprets instructions or is successfully prompted to misuse the tool, it could lead to unauthorized messaging, disclosure of private chat history, or other privacy violations. Implement robust guardrails and explicit user confirmation steps for all sensitive `wacli` operations, especially those involving sending messages to new recipients or accessing historical chat data. Consider fine-grained access control if possible, limiting the types of `wacli` commands the agent can execute based on context. Ensure the LLM's internal safety mechanisms are highly tuned for this skill. | LLM | SKILL.md:16 |
Scan History
Embed Code
[](https://skillshield.io/report/1397fd0abe8a50a9)
Powered by SkillShield