wacli
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONDATA_EXFILTRATION
Full Analysis
- [EXTERNAL_DOWNLOADS] (HIGH): The skill installs the "wacli" binary from an unverified third-party GitHub repository ("steipete/wacli") and Homebrew tap. This source is not on the trusted list, posing a supply chain risk.
- [DATA_EXFILTRATION] (HIGH): The skill can search and backfill private WhatsApp message history. Combined with the "wacli send" capability, an agent could be manipulated into sending sensitive private data to external phone numbers or group chats.
- [COMMAND_EXECUTION] (MEDIUM): The skill relies on executing multiple CLI commands with parameters derived from user or external input. This introduces a risk of command injection if arguments are not strictly sanitized by the calling framework.
- [INDIRECT_PROMPT_INJECTION] (HIGH): A critical vulnerability surface exists because the skill ingests untrusted data (incoming WhatsApp messages) and has high-privilege write capabilities (sending messages/files).
- Ingestion points: "wacli messages search", "wacli chats list", and "wacli sync" (referenced in SKILL.md).
- Boundary markers: None identified in the prompt instructions to distinguish message content from instructions.
- Capability inventory: "wacli send text", "wacli send file", and "wacli history backfill".
- Sanitization: No escaping or validation of external message content is defined.
Recommendations
- AI detected serious security threats
Audit Metadata