Trust Assessment
whatsapp-automation received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 26 findings: 3 critical, 7 high, 8 medium, and 3 low severity. Key findings include Persistence / self-modification instructions, Sensitive environment variable access: $HOME, Persistence mechanism: macOS LaunchAgent.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 0/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings26
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Persistence / self-modification instructions macOS LaunchAgent/LaunchDaemon persistence Remove any persistence mechanisms. Skills should not modify system startup configurations, crontabs, LaunchAgents, systemd services, or shell profiles. | Manifest | skills/vincent-labarthe/whatsapp-automation/setup.sh:190 | |
| CRITICAL | Persistence / self-modification instructions macOS LaunchAgent/LaunchDaemon persistence Remove any persistence mechanisms. Skills should not modify system startup configurations, crontabs, LaunchAgents, systemd services, or shell profiles. | Manifest | skills/vincent-labarthe/whatsapp-automation/setup.sh:213 | |
| CRITICAL | Prompt Injection via User-Controlled Message to LLM The `appointment-detector.sh` script constructs an `openclaw cron run` command where the `-m` argument, intended for an LLM, includes user-controlled WhatsApp message text. If the `openclaw` command passes this message directly to an LLM for analysis, an attacker could craft a malicious WhatsApp message to inject instructions into the host LLM, potentially leading to arbitrary code execution, data exfiltration, or manipulation of the LLM's behavior. The skill description explicitly states 'Claude AI Analysis' and 'Your configured agent analyzes', confirming LLM interaction. Sanitize or strictly validate user-controlled input before passing it to an LLM. Implement a robust prompt templating system that separates user input from system instructions. Consider using a dedicated LLM API call with input parameters rather than embedding user input directly into a command-line argument that forms part of a prompt. | LLM | scripts/appointment-detector.sh:26 | |
| HIGH | Persistence mechanism: macOS LaunchAgent Detected macOS LaunchAgent pattern. Persistence mechanisms allow malware to survive system restarts. Review this persistence pattern. Skills should not modify system startup configuration. | Static | skills/vincent-labarthe/whatsapp-automation/setup.sh:190 | |
| HIGH | Persistence mechanism: macOS LaunchAgent Detected macOS LaunchAgent pattern. Persistence mechanisms allow malware to survive system restarts. Review this persistence pattern. Skills should not modify system startup configuration. | Static | skills/vincent-labarthe/whatsapp-automation/setup.sh:213 | |
| HIGH | Hardcoded Telegram Bot Token and Chat ID Multiple scripts (`detect-appt.sh`, `detect-important.sh`, `detect-josephine.sh`, `send-alert.sh`) contain hardcoded Telegram Bot Tokens and Chat IDs. These credentials are exposed in plain text within the skill package. Anyone with access to these files can obtain and misuse these credentials, potentially sending unauthorized messages or accessing bot-related information. Store sensitive credentials securely, for example, using environment variables, a secrets management service, or OpenClaw's built-in configuration system. Do not hardcode API keys or tokens directly in source code. Ensure these values are loaded at runtime from a secure source. | LLM | scripts/detect-appt.sh:3 | |
| HIGH | Hardcoded Telegram Bot Token and Chat ID Multiple scripts (`detect-appt.sh`, `detect-important.sh`, `detect-josephine.sh`, `send-alert.sh`) contain hardcoded Telegram Bot Tokens and Chat IDs. These credentials are exposed in plain text within the skill package. Anyone with access to these files can obtain and misuse these credentials, potentially sending unauthorized messages or accessing bot-related information. Store sensitive credentials securely, for example, using environment variables, a secrets management service, or OpenClaw's built-in configuration system. Do not hardcode API keys or tokens directly in source code. Ensure these values are loaded at runtime from a secure source. | LLM | scripts/detect-important.sh:3 | |
| HIGH | Hardcoded Telegram Bot Token and Chat ID Multiple scripts (`detect-appt.sh`, `detect-important.sh`, `detect-josephine.sh`, `send-alert.sh`) contain hardcoded Telegram Bot Tokens and Chat IDs. These credentials areposed in plain text within the skill package. Anyone with access to these files can obtain and misuse these credentials, potentially sending unauthorized messages or accessing bot-related information. Store sensitive credentials securely, for example, using environment variables, a secrets management service, or OpenClaw's built-in configuration system. Do not hardcode API keys or tokens directly in source code. Ensure these values are loaded at runtime from a secure source. | LLM | scripts/detect-josephine.sh:3 | |
| HIGH | Hardcoded Telegram Bot Token and Chat ID Multiple scripts (`detect-appt.sh`, `detect-important.sh`, `detect-josephine.sh`, `send-alert.sh`) contain hardcoded Telegram Bot Tokens and Chat IDs. These credentials are exposed in plain text within the skill package. Anyone with access to these files can obtain and misuse these credentials, potentially sending unauthorized messages or accessing bot-related information. Store sensitive credentials securely, for example, using environment variables, a secrets management service, or OpenClaw's built-in configuration system. Do not hardcode API keys or tokens directly in source code. Ensure these values are loaded at runtime from a secure source. | LLM | scripts/send-alert.sh:14 | |
| HIGH | Arbitrary File Write via User-Controlled Export Path The `whatsapp-query.js` script's 'export' command allows a user to specify an output file path (`arg`). This path is not sanitized or validated, meaning a malicious user could provide a path to a sensitive system file (e.g., `/etc/passwd`, `~/.ssh/id_rsa`) and overwrite it with WhatsApp message data. This constitutes an arbitrary file write vulnerability, leading to data integrity issues or potential data exfiltration if written to an accessible location. Validate and sanitize the `outputFile` argument to ensure it is within an allowed directory (e.g., a dedicated export folder) and does not contain path traversal sequences (e.g., `../`). Prevent overwriting of existing files without explicit user confirmation, especially for system-critical paths. | LLM | scripts/whatsapp-query.js:109 | |
| MEDIUM | Sensitive environment variable access: $HOME Access to sensitive environment variable '$HOME' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated. | Static | skills/vincent-labarthe/whatsapp-automation/scripts/appointment-detector.sh:6 | |
| MEDIUM | Sensitive environment variable access: $HOME Access to sensitive environment variable '$HOME' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated. | Static | skills/vincent-labarthe/whatsapp-automation/scripts/detect-appointments.sh:6 | |
| MEDIUM | Sensitive environment variable access: $HOME Access to sensitive environment variable '$HOME' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated. | Static | skills/vincent-labarthe/whatsapp-automation/scripts/detect-appt.sh:5 | |
| MEDIUM | Sensitive environment variable access: $HOME Access to sensitive environment variable '$HOME' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated. | Static | skills/vincent-labarthe/whatsapp-automation/scripts/detect-important.sh:6 | |
| MEDIUM | Sensitive environment variable access: $HOME Access to sensitive environment variable '$HOME' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated. | Static | skills/vincent-labarthe/whatsapp-automation/scripts/detect-josephine.sh:6 | |
| MEDIUM | Sensitive environment variable access: $HOME Access to sensitive environment variable '$HOME' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated. | Static | skills/vincent-labarthe/whatsapp-automation/scripts/detect-urgent.sh:6 | |
| MEDIUM | Sensitive environment variable access: $HOME Access to sensitive environment variable '$HOME' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated. | Static | skills/vincent-labarthe/whatsapp-automation/scripts/send-alert.sh:15 | |
| MEDIUM | Sensitive environment variable access: $HOME Access to sensitive environment variable '$HOME' detected in shell context. Verify this environment variable access is necessary and the value is not exfiltrated. | Static | skills/vincent-labarthe/whatsapp-automation/setup.sh:21 | |
| LOW | WAHA Credentials Printed to Standard Output The `setup.sh` script extracts WAHA API Key, Username, and Password from Docker logs and prints them directly to the console. While intended for user configuration, this exposes sensitive credentials to anyone observing the terminal output or accessing terminal history. In a compromised environment, this could lead to credential leakage. Avoid printing sensitive credentials directly to standard output. If necessary for user configuration, provide instructions on how to retrieve them securely (e.g., from Docker logs directly) or use a more secure display method that clears after a short period. Ensure sensitive information is not stored in shell history. | LLM | setup.sh:60 | |
| LOW | Unpinned Docker Image Tag (latest) The `setup.sh` script pulls the `devlikeapro/waha` Docker image without specifying a version tag (implicitly using `latest`). The `latest` tag is mutable and can be updated by the image maintainer at any time. This introduces a supply chain risk, as future pulls might fetch a different, potentially vulnerable, or malicious image without explicit user action or review. Pin Docker image versions to specific, immutable tags (e.g., `devlikeapro/waha:1.2.3`) to ensure reproducibility and prevent unexpected changes. Regularly review and update pinned versions to incorporate security patches. | LLM | setup.sh:30 | |
| LOW | Unpinned Docker Image Tag (latest) The `scripts/setup.sh` script pulls the `devlikeapro/waha` Docker image without specifying a version tag (implicitly using `latest`). The `latest` tag is mutable and can be updated by the image maintainer at any time. This introduces a supply chain risk, as future pulls might fetch a different, potentially vulnerable, or malicious image without explicit user action or review. Pin Docker image versions to specific, immutable tags (e.g., `devlikeapro/waha:1.2.3`) to ensure reproducibility and prevent unexpected changes. Regularly review and update pinned versions to incorporate security patches. | LLM | scripts/setup.sh:49 | |
| INFO | WhatsApp Message Content Sent to Telegram The skill's core functionality involves forwarding WhatsApp message content (text and contact information) to Telegram via the Telegram Bot API. While this is the intended behavior of the skill, it represents a direct exfiltration of potentially sensitive user data from WhatsApp to a third-party service (Telegram). Users should be fully aware of this data flow and its privacy implications. Ensure clear and prominent disclosure to users about what data is collected, where it is sent, and for what purpose. Provide options for users to control or disable this data forwarding if they choose. Implement end-to-end encryption if possible for sensitive data in transit. | LLM | scripts/detect-appt.sh:20 | |
| INFO | WhatsApp Message Content Sent to Telegram The skill's core functionality involves forwarding WhatsApp message content (text and contact information) to Telegram via the Telegram Bot API. While this is the intended behavior of the skill, it represents a direct exfiltration of potentially sensitive user data from WhatsApp to a third-party service (Telegram). Users should be fully aware of this data flow and its privacy implications. Ensure clear and prominent disclosure to users about what data is collected, where it is sent, and for what purpose. Provide options for users to control or disable this data forwarding if they choose. Implement end-to-end encryption if possible for sensitive data in transit. | LLM | scripts/detect-important.sh:30 | |
| INFO | WhatsApp Message Content Sent to Telegram The skill's core functionality involves forwarding WhatsApp message content (text and contact information) to Telegram via the Telegram Bot API. While this is the intended behavior of the skill, it represents a direct exfiltration of potentially sensitive user data from WhatsApp to a third-party service (Telegram). Users should be fully aware of this data flow and its privacy implications. Ensure clear and prominent disclosure to users about what data is collected, where it is sent, and for what purpose. Provide options for users to control or disable this data forwarding if they choose. Implement end-to-end encryption if possible for sensitive data in transit. | LLM | scripts/detect-josephine.sh:29 | |
| INFO | WhatsApp Message Content Sent to Telegram The skill's core functionality involves forwarding WhatsApp message content (text and contact information) to Telegram via the Telegram Bot API. While this is the intended behavior of the skill, it represents a direct exfiltration of potentially sensitive user data from WhatsApp to a third-party service (Telegram). Users should be fully aware of this data flow and its privacy implications. Ensure clear and prominent disclosure to users about what data is collected, where it is sent, and for what purpose. Provide options for users to control or disable this data forwarding if they choose. Implement end-to-end encryption if possible for sensitive data in transit. | LLM | scripts/send-alert.sh:18 | |
| INFO | Persistence Mechanism via LaunchAgent The `setup.sh` script creates a macOS LaunchAgent (`com.whatsapp.store.plist`) to ensure the `whatsapp-message-store.js` service starts automatically at login. While a legitimate mechanism for persistence, it grants the service continuous execution privileges. If the `whatsapp-message-store.js` script or its dependencies were compromised, this persistence could be exploited. Regularly audit LaunchAgents and other persistence mechanisms. Ensure the executed script (`whatsapp-message-store.js`) is secure and its dependencies are up-to-date. Implement integrity checks for the script if possible. | LLM | setup.sh:100 |
Scan History
Embed Code
[](https://skillshield.io/report/4a79e867b122c591)
Powered by SkillShield