wacli
Warn
Audited by Gen Agent Trust Hub on Feb 23, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONDATA_EXFILTRATION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill attempts to install the 'wacli' binary using Homebrew (steipete/tap/wacli) or Go (github.com/steipete/wacli). These sources are not on the trusted vendors list, representing a risk of installing unverified external code.- [COMMAND_EXECUTION]: The skill facilitates the execution of various CLI commands (e.g., 'wacli send', 'wacli sync') that interact with external services and local files based on user-provided input.- [DATA_EXFILTRATION]: The skill accesses and manages sensitive data located in the '~/.wacli' directory, which contains WhatsApp authentication sessions and synced message history. It also enables sending local files to external recipients.- [PROMPT_INJECTION]: While the skill includes safety instructions to confirm recipients, the broad capability to search and send messages based on natural language could be a target for indirect injection from processed message content.
Audit Metadata