waha

SUSPICIOUS. The skill is mostly purpose-aligned as a WAHA client, with modest supply-chain risk, but it forwards a locally stored API key and all WhatsApp operations to an arbitrary user-configured WAHA endpoint, including non-official third-party infrastructure. The biggest concern is data-flow trust and autonomous external messaging, not hidden malware behavior.