observe-whatsapp
Warn
Audited by Gen Agent Trust Hub on Feb 15, 2026
Risk Level: MEDIUMPROMPT_INJECTION
Full Analysis
- [Indirect Prompt Injection] (MEDIUM): The skill ingests untrusted external data from the WhatsApp API (messages, logs, webhooks) and presents it directly to the agent.
- Ingestion points: Multiple scripts (e.g.,
messages.js,api-logs.js,webhook-deliveries.js) call the Kapso API to retrieve user-generated content and delivery logs via thekapsoRequesthelper. - Boundary markers: The scripts output raw JSON data without using delimiters or specific instructions to the agent to disregard instructions found within the data fields.
- Capability inventory: The skill has access to sensitive environment variables (
KAPSO_API_KEY) and can perform network requests to a user-definedKAPSO_API_BASE_URL. Malicious content within a WhatsApp message could potentially influence the agent to leak the API key or perform unintended operations if the agent has access to other powerful tools. - Sanitization: No sanitization or filtering of the retrieved message content is performed before displaying it to the agent.
- [Data Exposure & Exfiltration] (LOW): The skill requires a
KAPSO_API_KEY. While handled via environment variables, the agent's access to this key while processing untrusted message data increases the overall risk profile. - [INFO]: The file
scripts/openapi-explore.mjsis referenced in the documentation and file map but its source code was not provided in the audited content. This limits the ability to verify the safety of its searching and schema-parsing logic.
Audit Metadata