wacli
Warn
Audited by Gen Agent Trust Hub on Mar 8, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill installs the
waclibinary from a third-party Homebrew tap (steipete/tap/wacli) and a GitHub repository (github.com/steipete/wacli). These sources are not affiliated with the skill author or a trusted vendor.- [COMMAND_EXECUTION]: The skill executes multiple shell commands through thewacliCLI, includingwacli auth,wacli sync,wacli messages search, andwacli send, which could allow for unintended command behavior if parameters are manipulated.- [DATA_EXFILTRATION]: The skill accesses and processes sensitive user data by searching and syncing WhatsApp chat history. It also includes capabilities to send local files (e.g.,wacli send file --file /path/agenda.pdf) to remote WhatsApp JIDs, creating a path for data exfiltration.- [PROMPT_INJECTION]: The skill processes untrusted external data via thewacli messages searchcommand, which retrieves content from WhatsApp messages. This creates an attack surface for indirect prompt injection. - Ingestion points: Results from
wacli messages searchandwacli chats listare processed by the agent. - Boundary markers: The skill does not define specific delimiters or instructions to the agent to ignore commands within the fetched message content.
- Capability inventory: The skill has the ability to execute shell commands (
wacli), read local files, and send messages/files to external recipients. - Sanitization: There is no evidence of sanitization or filtering of the content retrieved from WhatsApp before it is presented to the agent.
Audit Metadata