observe-whatsapp
Pass
Audited by Gen Agent Trust Hub on Mar 11, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The
scripts/openapi-explore.mjsscript fetches OpenAPI specifications fromdocs.kapso.ai, which is the official documentation domain for the vendor (Kapso). This is used for API schema discovery and exploration. - [PROMPT_INJECTION]: The skill is subject to indirect prompt injection risks as it ingests and displays external data from WhatsApp messages and API logs.
- Ingestion points: Untrusted data enters the agent context through the outputs of
scripts/messages.js,scripts/message-details.js,scripts/api-logs.js, andscripts/webhook-deliveries.js. - Boundary markers: The retrieved data is presented in JSON format; however, no specialized delimiters or instructions are provided to the model to ignore potential instructions embedded within message text.
- Capability inventory: A thorough audit of all scripts shows that the skill's capabilities are limited to read-only network requests (HTTP GET) to the Kapso API. No subprocess execution,
eval()/exec()calls, file system write operations, or unauthorized outbound network connections were found. - Sanitization: External data is parsed from JSON and re-serialized before being output to the console, ensuring structural validity but not filtering the content of the messages themselves.
Audit Metadata