openclaw-whatsapp
Fail
Audited by Gen Agent Trust Hub on Feb 26, 2026
Risk Level: CRITICALREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTIONEXTERNAL_DOWNLOADS
Full Analysis
- [REMOTE_CODE_EXECUTION]: The installation instructions in
SKILL.mdrequire users to runcurl -fsSL https://raw.githubusercontent.com/0xs4m1337/openclaw-whatsapp/main/install.sh | bash. This executes remote code from an untrusted individual's repository with the user's full privileges. - [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection in
scripts/wa-notify-worker.sh. It incorporates untrusted message content and sender names directly into the LLM prompt without sanitization or boundary markers. - Ingestion points: WhatsApp message data (body, name, JID) enters via
scripts/wa-notify.shand is stored in a local queue file. - Boundary markers: None. Untrusted variables like
$msgand$historyare interpolated into a plain-text prompt template. - Capability inventory: The agent can execute the
openclaw-whatsapp sendcommand and any other tools configured in theopenclawenvironment. - Sanitization: No sanitization or escaping of message content is performed before interpolation.
- [COMMAND_EXECUTION]: The
scripts/wa-notify-worker.shscript usestimeout 45s openclaw agentto execute commands generated by the AI based on the injected WhatsApp content. This allows a remote attacker to potentially trigger unauthorized agent actions. - [EXTERNAL_DOWNLOADS]: The worker script pipes the output of a local API call (
http://localhost:8555/chats/${jid}/messages) directly into a Python interpreter. While intended for JSON parsing, this pattern increases the attack surface if the local API were compromised or manipulated via thejidvariable.
Recommendations
- HIGH: Downloads and executes remote code from: http://localhost:8555/chats/${jid}/messages?limit=10, https://raw.githubusercontent.com/0xs4m1337/openclaw-whatsapp/main/install.sh - DO NOT USE without thorough review
- AI detected serious security threats
Audit Metadata