Scan Report
0 /100
WhatsApp Whitelist Skill (Word Trigger)
Manages whitelist sets of phone numbers and sends WhatsApp messages via OpenClaw CLI
Legitimate WhatsApp whitelist management skill that correctly uses filesystem:WRITE for local JSON storage and shell:WRITE for the openclaw CLI, with no undeclared behavior, network access, credential harvesting, or data exfiltration.
Safe to install
This skill is safe to use. No security concerns identified.
| Resource | Declared | Inferred | Status | Evidence |
|---|---|---|---|---|
| Filesystem | WRITE | WRITE | ✓ Aligned | word-trigger.js:18-31 creates data directory and JSON files |
| Shell | WRITE | WRITE | ✓ Aligned | word-trigger.js:65-71 uses execFile to run openclaw CLI commands |
| Network | NONE | NONE | — | No HTTP requests or socket connections in codebase |
| Environment | NONE | NONE | — | No os.environ access or credential file reads |
| Skill Invoke | NONE | NONE | — | No skill recursion or inter-skill calls |
File Tree
2 files · 13.8 KB · 458 lines JavaScript 1f · 401L
Markdown 1f · 57L
├─
SKILL.md
Markdown
└─
word-trigger.js
JavaScript
Security Positives
✓ No HTTP requests or external network connectivity
✓ No credential harvesting or sensitive path access (~/.ssh, ~/.aws, .env)
✓ No base64, eval, or shell injection vectors
✓ No curl|bash or wget|sh remote script execution
✓ Filesystem writes are scoped to local data/ directory only
✓ Phone number validation prevents injection
✓ Set name validation prevents path traversal
✓ All operations are declared in SKILL.md