whatsapp-messaging
Warn
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- EXTERNAL_DOWNLOADS (MEDIUM): The skill requires the installation of the
@kapso/whatsapp-cloud-apipackage via npm. This package is not provided by a trusted organization or repository listed in the security guidelines. - COMMAND_EXECUTION (MEDIUM): The documentation instructs the user/agent to execute multiple local JavaScript scripts (e.g.,
list-platform-phone-numbers.mjs,create-template.mjs,send-template.mjs) using Node.js. These scripts are intended to interact with the Kapso API and manage local assets. - DATA_EXFILTRATION (LOW): The skill transmits data and credentials (
KAPSO_API_KEY) toapi.kapso.ai. This is the documented purpose of the skill (Meta proxy), but it involves sending potentially sensitive messaging data to a non-whitelisted third-party domain. - PROMPT_INJECTION (LOW): The skill is vulnerable to Indirect Prompt Injection (Category 8) because it reads external data from WhatsApp inboxes.
- Ingestion points: Incoming messages are retrieved via
client.messages.query(),client.conversations.list(), or direct proxy GET requests to the/messagesendpoint. - Boundary markers: None identified in the provided instructions; untrusted message content is processed directly into the agent's context.
- Capability inventory: The skill can send outbound messages, create/modify templates, and upload media, which could be leveraged if an attacker successfully injects instructions into an incoming message.
- Sanitization: No sanitization or validation of the message content is mentioned before it is processed by the agent.
Audit Metadata