whatsapp-messaging
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS] (LOW): The skill instructions require the installation of the
@kapso/whatsapp-cloud-apipackage from the NPM registry. This is a standard external dependency for the skill's core functionality. - [COMMAND_EXECUTION] (LOW): The skill utilizes several local Node.js scripts (e.g.,
list-platform-phone-numbers.mjs,create-template.mjs) to perform administrative and operational tasks. These scripts represent a command execution surface that relies on the integrity of the files within the skill package. - [DATA_EXFILTRATION] (LOW): The skill provides capabilities to read private WhatsApp inbox data and message history (
client.messages.query()). This involves access to sensitive Personal Identifiable Information (PII) and private communications, creating a data exposure surface if the agent's context is mishandled. - [PROMPT_INJECTION] (LOW): The skill is vulnerable to Indirect Prompt Injection (Category 8). Because the agent is instructed to read incoming WhatsApp messages, an attacker could send a message containing malicious instructions designed to hijack the agent's logic.
- Ingestion points:
client.messages.query(),GET /{phone_number_id}/messages(SKILL.md). - Boundary markers: None identified; the agent processes message bodies directly.
- Capability inventory: Sending messages, managing templates, and uploading media.
- Sanitization: No explicit sanitization or filtering of external message content is documented.
Audit Metadata