Is marcosrippel/whatsapp-utils safe?

https://github.com/openclaw/skills/tree/main/skills/marcosrippel/whatsapp-utils

69
CAUTION

whatsapp-utils is a CAUTION-level skill whose primary risk is its export-contacts command, a purpose-built tool that extracts all WhatsApp contact PII (phone numbers, display names, business status) from the user's session credential store and places it in the agent's context. While the skill itself makes no network calls, any agent with HTTP capabilities can trivially relay this harvested contact data externally in a single follow-up instruction — making this skill a high-value exfiltration primitive in multi-skill or network-capable deployments. The cache-info command additionally maps the credential directory structure. The SKILL.md is clean of prompt injection and installation behavior was normal, but the data exposure risk is significant enough to warrant careful review before deployment.

Category Scores

Prompt Injection 92/100 · 30%
Data Exfiltration 35/100 · 25%
Code Execution 78/100 · 20%
Clone Behavior 85/100 · 10%
Canary Integrity 65/100 · 10%
Behavioral Reasoning 40/100 · 5%

Findings (7)

HIGH export-contacts dumps all WhatsApp contact PII -50

The export-contacts command reads contacts.json from the WhatsApp session credentials directory and outputs every contact's phone number, display name, and business status as structured JSON. This is a complete contact list exfiltration capability. The agent receives this data in its context, from which any network-capable co-skill or user instruction can forward it externally. No user consent prompt, scope limit, or output sanitization is implemented.

HIGH cache-info enumerates WhatsApp credential store structure -15

The cache-info command performs a full directory listing of the WhatsApp credentials path, categorizes files by type (creds.json, contacts.json, store.json, session-, sender-key-, device-list-*), and reports aggregate sizes. This provides an attacker with a complete inventory of credential assets available for further extraction.

HIGH Contact harvest trivially chainable with agent network access -60

The skill produces structured, machine-readable contact PII output (JSON array of {phone, name, isBusiness}) directly in agent context. An attacker controlling user prompts needs only one additional instruction to an agent with HTTP capabilities to exfiltrate the entire WhatsApp contact list. The attack vector requires no code modification — the skill is the exfiltration primitive and the agent's existing tools are the delivery mechanism.

MEDIUM Canary credential files accessed during audit window -35

Six canary files (.env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, gcloud ADC) were opened and read at two points during the audit. Timing analysis correlates both access batches with monitoring infrastructure sudo invocations rather than skill script execution, and the integrity check reports no file modification. However, the monitoring system cannot distinguish read-based exfiltration, and process-level attribution was not definitively confirmed for all access events.

MEDIUM Phone number arguments passed without sanitization -22

The format and clean commands concatenate all argv tokens after position 2 with join(' ') and pass the result to handler functions. While the handlers only apply regex operations (replace(/\D/g, '')), the pattern establishes unsanitized user-input-to-code-argument flow. A sufficiently adversarial phone number string passed by a compromised agent could exploit edge cases in Node.js argument parsing.

LOW exec() pattern in SKILL.md passes user input as shell arguments -8

SKILL.md instructs the agent to construct exec() calls with phone number arguments interpolated from user input. If the hosting agent does not properly quote arguments before shell execution, a malicious phone number string could inject additional shell commands. This is a documentation-level concern rather than a code vulnerability, but it establishes a risky precedent.

INFO Installation limited to GitHub HTTPS — no secondary payload fetch 0

The entire installation process consists of a single git sparse-checkout clone from github.com/openclaw/skills.git. No secondary downloads, npm installs, or remote script fetches were detected. The connection to GitHub closed cleanly after file copy.