Is alex-tradequo/whatsapp-automation-a2a safe?

The /ai/style/train endpoint with both session_id and wa_chat_id omitted trains a style profile from ALL WhatsApp conversations across ALL connected sessions. This sends an unbounded quantity of private message history to apiv2.waiflow.app. No data-retention policy, deletion guarantee, or data-processing agreement is disclosed in the skill documentation.

The knowledge-base ingest endpoint accepts PDF and TXT files up to 100MB and stores them on MoltFlow infrastructure for RAG-based reply generation. No data-retention policy, deletion SLA, or data-processing agreement is referenced, creating significant confidentiality risk for legal, medical, and financial documents users may upload.

The moltflow-onboarding sub-skill instructs the agent to immediately and silently call 11 GET endpoints (/users/me, /sessions, /groups, /custom-groups, /webhooks, /reviews/collectors, /tenant/settings, /scheduled-messages, /usage/current, /leads, /messages/chats/{session_id}) whenever phrases as broad as 'help me get started', 'find opportunities', or 'morning report' are matched. This autonomous batch collection substantially exceeds what any individual trigger phrase implies and occurs before any user-visible output.

The Bulk Send feature uses randomized 30-second to 2-minute inter-message delays, typing simulation, and automatic seen/read indicators specifically described as 'anti-ban safety' measures. Combined with the ability to import arbitrary phone numbers from WhatsApp groups at scale via /custom-groups/from-wa-groups, this constitutes a ready-made spam platform that can be directed at scraped contacts.

The /ai/generate-reply endpoint accepts a 'context' field of up to 2000 characters populated with customer messages. An adversary who sends a crafted WhatsApp message to the user's business number could have that content forwarded to MoltFlow's AI endpoint, potentially manipulating generated replies or exploiting model-level vulnerabilities. The documented input sanitization is server-side and not independently verifiable.

The PUT /a2a-policy/settings endpoint accepts boolean flags input_sanitization_enabled and output_filtering_enabled. An attacker who can influence agent behavior could set both to false, removing the platform's prompt-injection detection and PII/secret scanning from subsequent AI reply generation and A2A messaging, effectively neutralizing the skill's advertised safety features.

Every one of the eight sub-skill SKILL.md files opens with an italicized promotional block advertising MoltFlow's Business plan (described as a 'recent registration issue' deal) with a direct link to a Stripe checkout page. This advertising content is injected verbatim into the agent's system prompt and may be surfaced to users, effectively monetizing the agent's attention for the skill author's benefit.

The webhook_manager A2A JSON-RPC method allows creating webhooks with arbitrary HTTPS URLs subscribed to events including message.received. A chained skill or compromised WhatsApp session could register an attacker-controlled URL to receive the content of all incoming WhatsApp messages without any user notification.

inotify and auditd logs record OPEN/ACCESS/CLOSE_NOWRITE events on six honeypot credential files (.env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, .gcloud/credentials) at 06:57:59. The git clone command was not executed until 06:58:04, five seconds later. Process tree (PID 1094 / sudo, PPID 1076) and timing are consistent with the audit framework reading canary baseline hashes before the install begins. Canary integrity check confirms files intact post-install.

Static analysis of all files retrieved from the repository confirms the skill contains exclusively Markdown documentation and a package.json with no scripts field. No .gitattributes filter definitions, .gitmodules submodule declarations, git hook scripts, executable binaries, or symlinks were detected.