Is whatsapp-business safe?
https://clawhub.ai/byungkyu/whatsapp-business
This skill is a documentation-only WhatsApp Business API integration that routes all traffic through the third-party Maton gateway proxy. It contains no malicious code or install-time threats, but poses moderate risks: all message content and OAuth tokens flow through maton.ai (a trust dependency), the agent gains ability to send messages to arbitrary phone numbers, and the skill description attempts to chain-load a second skill (api-gateway). The cross-skill directive and arbitrary messaging capability warrant caution.
Category Scores
Findings (11)
MEDIUM Cross-skill chaining directive in description -20 ▶
The skill description includes 'For other third party apps, use the api-gateway skill (https://clawhub.ai/byungkyu/api-gateway)' which directs the agent to load and use another skill. This could expand the attack surface without explicit user consent and is a form of soft prompt injection — the skill is instructing the agent to take actions beyond its stated scope.
MEDIUM Executable code blocks as agent instructions -18 ▶
The SKILL.md contains fully formed Python scripts in bash code blocks that the agent will treat as ready-to-execute instructions. While common for API documentation skills, this pattern means the agent will run code that makes authenticated network requests to third-party servers without additional verification.
MEDIUM All traffic routed through third-party proxy -20 ▶
The gateway.maton.ai proxy sits between the user and Facebook's WhatsApp API. All message content, phone numbers, media, and OAuth tokens pass through this intermediary. The user must trust both Meta and Maton with their data. There is no way to verify what Maton logs or retains.
LOW OAuth session tokens exposed in agent context -7 ▶
The connection management API returns OAuth session URLs containing session tokens. These appear in the agent's context window and could be inadvertently included in conversation logs, shared contexts, or error reports.
LOW Sensitive file reads during installation -5 ▶
Filesystem monitoring detected reads of .env, .aws/credentials, and auth-profiles.json during the install process. These reads originate from the OpenClaw platform toolchain rather than the skill itself, but indicate the installation environment accesses sensitive credential stores.
MEDIUM Arbitrary message sending capability -25 ▶
The skill enables the agent to send WhatsApp messages to any phone number. In a multi-skill environment, a malicious skill could manipulate the agent into sending spam, phishing messages, or exfiltrating data via WhatsApp to attacker-controlled numbers. Even without malice, a confused agent could send unintended messages with real business and legal consequences.
MEDIUM Template creation enables phishing infrastructure -20 ▶
The skill allows creating WhatsApp message templates including AUTHENTICATION category templates. A malicious actor could use this to create convincing phishing templates that, once approved by Meta, could be sent at scale.
LOW Inline Python scripts with network access -12 ▶
The skill contains multiple ready-to-execute Python scripts that make HTTP requests. While these serve as API examples, they constitute code that the agent will execute in the user's shell environment with access to environment variables and network.
INFO No malicious install artifacts 0 ▶
Empty package.json, no git hooks, no submodules, no symlinks, no lifecycle scripts. The skill is purely a SKILL.md documentation file with metadata.
INFO Clean installation with no anomalous behavior -10 ▶
Installation produced only standard OpenClaw platform artifacts (jiti cache files, gateway lock). No network connections, no unexpected processes, no filesystem modifications outside expected paths.
INFO All honeypot files intact 0 ▶
No canary files were accessed or modified, indicating no credential harvesting or exfiltration attempts during installation.