Is wacli safe?

https://clawhub.ai/steipete/wacli

72
CAUTION

The wacli skill is a pure prompt-only skill (no executable code) that wraps a WhatsApp CLI tool. It contains reasonable safety guardrails but grants the agent powerful capabilities: sending messages and files to arbitrary phone numbers and reading private message history. These capabilities represent significant data exfiltration and social engineering vectors, especially if another skill or injected content bypasses the soft safety instructions. The skill itself is not malicious, but the capabilities it enables require high trust in the overall agent security posture.

Category Scores

Prompt Injection 85/100 · 30%
Data Exfiltration 55/100 · 25%
Code Execution 80/100 · 20%
Clone Behavior 85/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 40/100 · 5%

Findings (8)

HIGH File send capability enables arbitrary file exfiltration via WhatsApp -30

The skill teaches the agent to use wacli send file --to <number> --file /path/file which can transmit any readable file on the filesystem to any phone number. A compromised or injected prompt could instruct the agent to send sensitive files (SSH keys, .env, credentials) to an attacker-controlled number.

HIGH Messaging capability is vulnerable to prompt injection chains -40

The safety guardrails (confirm recipient, require explicit message) are soft — they rely on the LLM honoring instructions. Another skill, a malicious document opened by the agent, or injected content in a chat message could bypass these guardrails and cause the agent to send unauthorized messages or files.

MEDIUM WhatsApp message history exposed to agent context -15

The wacli messages search command allows the agent to read private WhatsApp conversation history. This data enters the agent's context window and could be leaked through other skills, logged, or included in responses to other users in multi-tenant scenarios.

MEDIUM Installation executes external code from third-party tap -20

The install instructions reference steipete/tap/wacli (Homebrew) and github.com/steipete/wacli (Go). Installing compiles and runs code from this third-party repository, which is not audited here. A supply chain compromise of the wacli binary would give full shell access.

LOW Skill directs agent behavior for routing decisions -5

The skill tells the agent when to use and not use wacli, including routing logic ('Clawdbot routes WhatsApp conversations automatically'). This is normal for a skill but subtly influences agent decision-making beyond just tool usage.

INFO Homepage URL in metadata -5

The skill references https://wacli.sh as its homepage. This is metadata only and does not instruct the agent to fetch it, but could be used in social engineering if the domain were compromised.

INFO Reasonable safety guardrails present -5

The skill includes explicit safety instructions: require explicit recipient and message, confirm before sending, ask clarifying questions on ambiguity. These are positive but not enforceable.

INFO Platform reads .env and .aws/credentials during install -15

The filesystem monitoring shows /home/oc-exec/.env and /home/oc-exec/.aws/credentials being read during the install process. This appears to be the openclaw platform's behavior (loading configuration), not the skill's behavior, but is noted for completeness.