wacli
Warn
Audited by Gen Agent Trust Hub on Apr 18, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSPROMPT_INJECTIONDATA_EXFILTRATIONCOMMAND_EXECUTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill downloads and installs the wacli utility from a third-party GitHub repository (steipete/wacli) using Homebrew or the Go toolchain.
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection through the ingestion of untrusted data from WhatsApp. 1. Ingestion points: The agent reads chat history and message content using wacli messages search and wacli history backfill (SKILL.md). 2. Boundary markers: Absent; there are no instructions to treat retrieved content as untrusted. 3. Capability inventory: The skill can send text messages, send files, and search message history (SKILL.md). 4. Sanitization: Absent; no validation or escaping is performed on message content.
- [DATA_EXFILTRATION]: The skill accesses sensitive personal information, including WhatsApp messages, group identifiers, and contact numbers. It stores data locally in the ~/.wacli directory.
- [COMMAND_EXECUTION]: The skill relies on executing shell commands via the wacli CLI to perform its functions, which includes authentication, syncing, and sending messages.
Audit Metadata