openclaw-whatsapp

CRITICAL E005: Suspicious download URL detected in skill instructions.

• Suspicious download URL detected (high risk: 0.80). The raw GitHub URL is a direct link to an executable install.sh served from a pseudonymous/unverified account (curl https://raw... | bash is a common and high-risk malware vector); the localhost QR page is benign, but taken together this represents a suspicious download source and distribution method.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The worker explicitly fetches user-generated WhatsApp messages from the bridge API (scripts/wa-notify-worker.sh uses curl "http://localhost:8555/chats/${jid}/messages?limit=10" and SKILL.md notes "Fetches last 10 messages for context"), inserts that untrusted content into the agent prompt, and the agent then performs actions (e.g., openclaw-whatsapp send), so third-party message content can materially influence behavior and enable indirect prompt injection.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 1.00). The skill instructs the user/agent to run sudo cp and chmod to install scripts into /usr/local/bin and to create/enable systemd services, which explicitly modifies system files and requests elevated privileges and thus can compromise the machine state.