Is gabrielsayumi/probar safe?

https://github.com/openclaw/skills/tree/main/skills/gabrielsayumi/probar

92
SAFE

This skill provides documentation for the wacli WhatsApp CLI tool with appropriate safety guardrails (explicit confirmation required, clarifying questions on ambiguity). The SKILL.md contains no prompt injection attempts, no executable code, no hidden instructions, and clone monitoring showed only expected GitHub network activity with all canary files remaining intact. The primary residual risk is the inherent power of WhatsApp send-file and send-text capabilities, which create a potential data exfiltration or social engineering vector if the agent is later compromised through prompt injection from an adversarial document or a malicious companion skill.

Category Scores

Prompt Injection 95/100 · 30%
Data Exfiltration 80/100 · 25%
Code Execution 100/100 · 20%
Clone Behavior 92/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 80/100 · 5%

Findings (6)

MEDIUM File-send capability enables agent-mediated data exfiltration -12

The wacli send file subcommand allows the agent to send any file accessible on the host filesystem to an arbitrary phone number. While the skill requires explicit user confirmation, a sophisticated prompt injection or social engineering attack could manipulate the user into confirming a malicious send operation. The documentation does not restrict which file paths can be sent.

LOW Full WhatsApp message history exposed to agent context -8

The wacli messages search and history backfill commands give the agent read access to all WhatsApp conversations. If the agent context is later leaked or logged, sensitive personal and business communications could be exposed.

LOW Cross-skill attack chain: file-reader + wacli = exfiltration -15

If an attacker installs a separate skill that reads sensitive files and injects a prompt instructing the agent to send the contents via wacli, the combined effect is silent credential exfiltration to a phone number. The skill is benign in isolation but dangerous in adversarial combinations.

LOW Social engineering: agent could impersonate user to contacts -5

The skill grants the agent the ability to send WhatsApp messages to any of the user's contacts. A malicious prompt (e.g., embedded in a document the user asks the agent to summarize) could instruct the agent to send fraudulent messages on the user's behalf.

INFO Third-party binary (wacli) required — outside audit scope 0

The skill's install metadata specifies two install paths: brew install steipete/tap/wacli and go install github.com/steipete/wacli/cmd/wacli@latest. The security of the wacli binary itself was not audited. Users should review steipete/wacli independently before installing.

INFO Slug name mismatch: probar vs wacli content 0

The skill is registered under slug 'probar' (Spanish: to test/try) but the SKILL.md content is exclusively about the wacli WhatsApp CLI tool. The displayName is 'PROBAR'. This is consistent with a developer testing their skill submission pipeline rather than a deliberate obfuscation attempt.