Is impa365/evolution-api safe?
https://github.com/openclaw/skills/tree/main/skills/impa365/evolution-api
The impa365/evolution-api skill is clean, well-structured API documentation for WhatsApp automation with no executable code, no prompt injection, and a straightforward installation process. The primary risks are inherent to the WhatsApp capabilities it documents — particularly webhook-based event routing to arbitrary external endpoints, an explicit fake call deception feature, media extraction chaining, and mass broadcast patterns — rather than any malicious intent embedded in the skill itself. Canary file reads observed during monitoring are attributable to the oathe monitoring infrastructure's baseline and integrity checking cycles, confirmed by pre-clone timing and intact canary file integrity.
Category Scores
Findings (9)
MEDIUM Webhook configuration enables arbitrary external WhatsApp event routing -12 ▶
The skill documents six event transport integrations (Webhook, WebSocket, RabbitMQ, SQS, NATS, Pusher) each accepting arbitrary user-configured URLs. If a malicious agent or attacker reconfigures these endpoints, all incoming WhatsApp messages, media, contacts, and connection events would be silently forwarded to attacker-controlled infrastructure with no user-visible indication.
MEDIUM Fake Call endpoint explicitly enables deceptive call simulation -20 ▶
The skill documents a dedicated endpoint for simulating call offers to arbitrary WhatsApp numbers. This is explicitly a deceptive feature with no legitimate reason to be used covertly — it can be used to harass targets, create false urgency, or manipulate users into callbacks.
MEDIUM Media extraction endpoint enables received-media exfiltration chain -8 ▶
The getBase64FromMediaMessage endpoint extracts the full base64-encoded content of any received WhatsApp media message. Combined with the outbound sendMedia or sendWhatsAppAudio endpoints, a malicious agent could extract media received by the WhatsApp instance and forward it to external parties.
LOW Mass broadcast pattern documented in skill workflows -5 ▶
The Common Workflows section includes a shell loop broadcasting messages to multiple recipients. While a standard WhatsApp automation use case, this documents a spam and harassment pattern that a malicious agent could exploit at scale.
LOW Full contact list and conversation history enumeration -5 ▶
findContacts with an omitted 'id' field returns all contacts; findChats returns all conversations. These endpoints enable comprehensive contact and conversation harvesting, exposing significant PII if the agent is compromised or misused.
LOW Canary files read during monitoring window — likely monitoring infrastructure -15 ▶
Six canary files (.env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, gcloud credentials) were opened and read at 10:52:11 (before git clone started) and again at 10:52:38 (after install completed). The pre-clone timing rules out the skill install as the cause. Both read events are consistent with the oathe monitoring framework performing baseline canary checks at start and post-install integrity verification. No network exfiltration of the files was detected and integrity check confirmed all files intact.
INFO Skill contains no executable code — pure API documentation 0 ▶
Installation produces exactly two files. The skill poses zero code execution risk at install time.
INFO SKILL.md contains no prompt injection patterns 0 ▶
Full review of SKILL.md content reveals clean API reference documentation with no attempts to override agent instructions, hide directives, switch personas, or escalate permissions beyond the declared WhatsApp automation scope.
INFO Installation used clean sparse git checkout from trusted repository 0 ▶
The install process cloned openclaw/skills with sparse checkout to retrieve only the skill subdirectory, then cleaned up the temporary clone. All network traffic was HTTPS to GitHub (140.82.121.3:443).