← Back to Skills Marketplace

WhatsApp Common Groups

Name: WhatsApp Common Groups
Author: marcosrippel

by Marcos Santos · GitHub ↗ · v1.0.0

cross-platform ⚠ suspicious

655

Downloads

Stars

Active Installs

Versions

Install in OpenClaw

/install whatsapp-common-groups

Description

Find groups shared between contacts and check group membership

Usage Guidance

This skill will run a bundled Node script that directly reads your OpenClaw WhatsApp credential folder (OPENCLAW_STATE_DIR or ~/.openclaw/credentials/whatsapp/default) and parses sender-key files and contacts.json to report group membership. The metadata and SKILL.md do not disclose this file access. Before installing or running it: (1) verify you trust the source or inspect scripts yourself, (2) check the exact path and contents of the credentials folder to understand what data would be read, (3) consider running the script manually in a sandbox or on a copy of the credential files, and (4) ask the maintainer to explicitly declare required config paths and env vars and to explain why those files are needed. Note: the script does not make network calls or upload data itself — it prints results to stdout, but whatever receives the output (agent logs, remote backend) could expose this information, so treat outputs as sensitive.

Capability Analysis

Type: OpenClaw Skill Name: whatsapp-common-groups Version: 1.0.0 The skill accesses sensitive WhatsApp credential and state files (e.g., `sender-key-*`, `contacts.json`) located in `OPENCLAW_STATE_DIR/credentials/whatsapp/default`. While this access is necessary for the skill's stated purpose of managing WhatsApp groups and members, direct interaction with credential files is a high-risk operation. The `SKILL.md` instructs the agent to use `exec({ cmd: "node <skill_dir>/scripts/common.js COMMAND [ARGS]" })`, which could introduce a shell injection vulnerability if the OpenClaw agent does not properly sanitize `COMMAND` and `ARGS` before execution. However, the `common.js` script itself does not exhibit malicious intent, such as data exfiltration to external endpoints or persistence mechanisms; it processes the data and outputs it to `stdout` as JSON.

Capability Assessment

⚠ Purpose & Capability

The script's behavior (scanning a local OpenClaw WhatsApp credentials directory for sender-key files and contacts.json) is consistent with the stated purpose of finding common WhatsApp groups. However, the skill metadata and SKILL.md do not declare that it needs access to local credential/config paths (the code uses OPENCLAW_STATE_DIR or ~/.openclaw/credentials/whatsapp/default). This undeclared requirement is a mismatch and should be disclosed.

⚠ Instruction Scope

SKILL.md shows only how to exec the Node script and does not mention that the script will read files from the user's local OpenClaw credentials directory. The instructions give the agent implicit permission to run a binary that reads potentially sensitive local files, which is not documented in the runtime instructions.

✓ Install Mechanism

There is no install spec (instruction-only with a bundled script). Nothing is downloaded or written to disk by an installer; risk from installation mechanism is low.

⚠ Credentials

The code reads process.env.OPENCLAW_STATE_DIR (if set) and otherwise defaults to ~/.openclaw/credentials/whatsapp/default, but the skill declares no required env vars or config paths. Accessing a credentials directory (and potentially contacts.json and sender-key files) is sensitive and should have been declared. The number and sensitivity of files accessed is disproportionate to the lack of declared permissions.

✓ Persistence & Privilege

The skill does not request persistent/always-on presence, does not modify other skill or system configs, and does not install background services. It only reads files and prints JSON to stdout.

How to Use

Make sure OpenClaw is installed (local or Docker)
Run the install command in chat: /install whatsapp-common-groups
After installation, invoke the skill by name or use /whatsapp-common-groups
Provide required inputs per the skill's parameter spec and get structured output

Version History

v1.0.0

Initial release. Finds shared groups between contacts, checks if a number belongs to a specific group, and lists all members across all groups. Built on Baileys sender-key cache data.

Metadata

Slug whatsapp-common-groups

Version 1.0.0

License —

All-time Installs 0

Active Installs 0

Total Versions 1

Frequently Asked Questions

What is WhatsApp Common Groups?

Find groups shared between contacts and check group membership. It is an AI Agent Skill for Claude Code / OpenClaw, with 655 downloads so far.

How do I install WhatsApp Common Groups?

Run "/install whatsapp-common-groups" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is WhatsApp Common Groups free?

Yes, WhatsApp Common Groups is completely free (open-source). You can download, install and use it at no cost.

Which platforms does WhatsApp Common Groups support?

WhatsApp Common Groups is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created WhatsApp Common Groups?

It is built and maintained by Marcos Santos (@marcosrippel); the current version is v1.0.0.

More Skills