← Back to Skills Marketplace
zero-astro

WhatsApp HappyBDay

by zero-astro · GitHub ↗ · v1.0.2 · MIT-0
cross-platform ⚠ suspicious
109
Downloads
0
Stars
0
Active Installs
3
Versions
Install in OpenClaw
/install whatsapp-happybday
Description
Monitor WhatsApp groups to dynamically detect people who should be congratulated. It identifies keywords (e.g., "birthday", "congratulations") and the person...
Usage Guidance
What to consider before installing: - Metadata mismatch: the skill's declared required env vars omit BIRTHDAY_SKIP_LIST (used by the code) and incorrectly lists BIRTHDAY_MIN_MESSAGES as the primary credential — treat these as errors in the package metadata. - Command-injection risk: the script uses subprocess.run(..., shell=True) and builds shell commands containing group JIDs and generated messages (which can include extracted names from chat text). Untrusted group content could be crafted to inject shell commands. Before enabling the skill (especially with BIRTHDAY_SIMULATE=false), either: (a) review and harden the code to use subprocess.run([...], shell=False) or properly escape/quote inputs, or (b) sandbox execution (container) and keep it in simulation mode. - Simulation first: keep BIRTHDAY_SIMULATE=true and test extensively. Inspect messages.json and scoring_words.json defaults and your skip list to avoid unwanted sends. - Dependency and runtime: ensure python-dotenv is installed in the environment the agent will run in; the script exits if dotenv is missing. The script also contains a hardcoded user-site path fallback which is odd but not critical. - Autonomy and cron: because the skill is intended for periodic autonomous runs, only enable it if you are comfortable with an automated agent sending messages on your behalf. If you need help making the subprocess usage safe, seek a code fix that removes shell=True and uses argument lists, or that sanitizes user-derived strings before embedding them into shell commands.
Capability Analysis
Type: OpenClaw Skill Name: whatsapp-happybday Version: 1.0.2 The skill automates WhatsApp congratulations using the `wacli` tool, but contains a significant shell injection vulnerability in `scripts/whatsapp_happybday.py`. The script uses `subprocess.run` with `shell=True` to execute commands constructed from external data (such as group JIDs) without sanitization. Additionally, the code includes hardcoded local developer paths and redundant environment checks. While the behavior aligns with the stated purpose and no clear malicious intent or exfiltration was found, the high-risk command execution logic is a critical security flaw.
Capability Assessment
Purpose & Capability
The code and SKILL.md match the stated purpose (uses wacli to read group messages, scores them, identifies names, and optionally sends replies). However the registry metadata is odd: primaryEnv is set to BIRTHDAY_MIN_MESSAGES (not a credential) and the declared required env vars omit BIRTHDAY_SKIP_LIST which the script and docs expect. That metadata mismatch is surprising and should be corrected.
Instruction Scope
The runtime instructions ask the agent to sync wacli, run the Python script, and create cron jobs — all coherent for the stated feature. But the SKILL.md and script use additional environment variables (e.g., BIRTHDAY_SKIP_LIST) that are not listed in requires.env. The instructions push for autonomous periodic execution and precise heartbeat behavior, which is fine for monitoring but increases risk if the script can execute arbitrary shell commands (see install_mechanism and environment_proportionality).
Install Mechanism
No install spec (instruction-only) and a small requirements.txt (python-dotenv). That is low risk in principle. However the script itself shells out to wacli via subprocess.run(..., shell=True) with interpolated values (group JIDs and generated messages). Because message content and names are derived from group text, this creates a command-injection risk if inputs aren't sanitized. The skill does not show any escaping/quoting safeguards.
Credentials
The skill only needs local access to wacli and a few configuration/environment variables, which is proportionate — but the registry lists only three required env vars while the SKILL.md and script rely on others (e.g., BIRTHDAY_SKIP_LIST). Marking BIRTHDAY_MIN_MESSAGES as primary credential is incorrect and misleading. Also simulation mode defaults to true (safer), but turning it off will cause the script to send messages; you should review and limit who/what it can message before disabling simulation.
Persistence & Privilege
The skill does not request always:true and does not require system-wide privileges. It writes its own state file under ~/.openclaw/skills/whatsapp-happybday/data which is expected for state tracking. Autonomous invocation is allowed (default) which is normal for skills, but combined with other concerns (shelling out with user-derived content) increases blast radius.
How to Use
  1. Make sure OpenClaw is installed (local or Docker)
  2. Run the install command in chat: /install whatsapp-happybday
  3. After installation, invoke the skill by name or use /whatsapp-happybday
  4. Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.2
Fixed primaryEnv metadata (removed misleading BIRTHDAY_SKIP_LIST), unified silence response to HEARTBEAT_OK across all documentation, added default values for env vars
v1.0.1
Cleaned repository by removing unnecessary virtual environment files from the git history
v1.0.0
Initial release of WhatsApp HappyBDay. - Monitors WhatsApp groups to detect when someone should be congratulated. - Uses a score-based system for identifying birthdays/congratulatory events and extracts the recipient’s name. - Sends random, customizable congratulatory messages with support for simulation/testing mode. - Supports full customization with JSON dictionaries for keywords and messages. - Designed for easy integration with OpenClaw agent automation and includes setup instructions for environment variables and scheduling.
Metadata
Slug whatsapp-happybday
Version 1.0.2
License MIT-0
All-time Installs 0
Active Installs 0
Total Versions 3
Frequently Asked Questions

What is WhatsApp HappyBDay?

Monitor WhatsApp groups to dynamically detect people who should be congratulated. It identifies keywords (e.g., "birthday", "congratulations") and the person... It is an AI Agent Skill for Claude Code / OpenClaw, with 109 downloads so far.

How do I install WhatsApp HappyBDay?

Run "/install whatsapp-happybday" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is WhatsApp HappyBDay free?

Yes, WhatsApp HappyBDay is completely free, licensed under MIT-0. You can download, install and use it at no cost.

Which platforms does WhatsApp HappyBDay support?

WhatsApp HappyBDay is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created WhatsApp HappyBDay?

It is built and maintained by zero-astro (@zero-astro); the current version is v1.0.2.

More Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463815 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259802 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200680 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191345 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190333 · by oswalpalash

💬 Comments