Is engahmedsalah358-lgtm/whats safe?
https://github.com/openclaw/skills/tree/main/skills/engahmedsalah358-lgtm/whats
The engahmedsalah358-lgtm/whats skill is a clean, static SKILL.md wrapper around the open-source wacli WhatsApp CLI tool with no prompt injection, malicious code, executable content, or direct data exfiltration attempts. All canary honeypot files remained intact and install behavior was normal. The primary risk is inherent to the tool's design: the wacli send file command creates a WhatsApp-based data exfiltration channel that could be exploited if the agent is manipulated by a separate injection vector, and persistent auth storage in ~/.wacli expands the attack surface across sessions. The low-provenance author account and unaudited third-party binary supply chain (steipete's Homebrew tap) warrant user awareness before installation.
Category Scores
Findings (6)
MEDIUM File-send capability creates WhatsApp-based data exfiltration vector -15 ▶
The wacli send file command allows an agent to transmit any readable local file to any WhatsApp phone number or group JID. If a user is socially engineered or the agent is compromised by a prompt injection from a separate source (e.g., a malicious document it is asked to read), it could send sensitive files such as .env files, SSH private keys, or AWS credentials to an attacker-controlled number. The skill's safety guardrail (confirm before sending) reduces but does not eliminate this risk, as sophisticated social engineering could satisfy the confirmation step.
LOW Persistent WhatsApp auth store expands attack surface across sessions -10 ▶
The wacli tool stores WhatsApp authentication state in ~/.wacli after QR-code login. This persistent session means that any future agent session with filesystem access and wacli installed can send messages and files without re-authentication. The session persistence is inherent to the tool's design but increases the blast radius if the agent is later compromised.
LOW Unaudited third-party binary supply chain via steipete Homebrew tap and Go module -10 ▶
The skill install metadata specifies the wacli binary should be installed via steipete/tap/wacli (a personal Homebrew tap) or github.com/steipete/wacli/cmd/wacli@latest (a Go module). The security of the wacli binary itself is not evaluated in this audit. A compromised or malicious wacli binary could perform actions beyond those described in SKILL.md. Users are trusting steipete's package supply chain.
LOW Low-provenance author account with unusual naming pattern -20 ▶
The skill is published under the account engahmedsalah358-lgtm. The -lgtm suffix (Looks Good To Me, a common code review approval signal) appended to what appears to be a personal identifier is atypical for a legitimate user account and may indicate an automated publishing workflow or test account. No malicious content was found in the skill, but the account's history, reputation, and identity cannot be verified, reducing confidence in the skill's long-term maintenance and trustworthiness.
INFO Agent gains standing access to user's WhatsApp contacts and groups -8 ▶
Activating this skill and completing wacli auth grants the agent the ability to enumerate the user's WhatsApp contacts (wacli chats list), read message history (wacli messages search), and send messages/files to any contact or group. This represents a significant capability grant. While the skill appropriately scopes this to third-party messaging only, the scope of access is broad.
INFO Pre-existing Ubuntu infrastructure connections not attributable to skill 0 ▶
Network connections to 185.125.188.54:443 (Canonical/Ubuntu) observed in the monitoring window predate the skill install by several seconds and are attributable to Ubuntu's background system services. The post-install connection diff confirms no new persistent connections were created by the skill installation.