add-whatsapp

The skill is broadly consistent with its stated purpose: adding WhatsApp as a channel requires auth credentials, chat registration, and new channel code. The main risk is install/execution trust: it fetches and merges code from an external GitHub repo, then installs dependencies and executes setup scripts, which is a real supply-chain risk if the repo provenance is not independently verified. No clear credential exfiltration, stealth, or unrelated capability expansion is present, so this is better classified as suspicious supply-chain exposure than malware.