whatsapp-skill
Pass
Audited by Gen Agent Trust Hub on Feb 27, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it reads untrusted message content from WhatsApp and presents it to the agent without sanitization or boundary markers. This could allow an external attacker to influence the agent's behavior.\n
- Ingestion points: WhatsApp message data enters via
whatsapp_skill.jsfunctionscmdMessages,cmdChats, andcmdSearch.\n - Boundary markers: Absent. There are no delimiters or instructions used to separate external message content from agent instructions.\n
- Capability inventory: The agent has access to
BashandReadtools, and the skill provides the ability to send messages.\n - Sanitization: Absent. Raw message bodies are returned directly in the tool output.\n- [COMMAND_EXECUTION]: The script initializes a browser for automation using the '--no-sandbox' and '--disable-setuid-sandbox' flags in
whatsapp_skill.js, which reduces the standard security isolation of the browser process.\n- [EXTERNAL_DOWNLOADS]: The skill downloads Chromium via its dependencies to enable browser-based WhatsApp automation.
Audit Metadata