← Back to Skills Marketplace

WhatsApp Validate

Name: WhatsApp Validate
Author: marcosrippel

by Marcos Santos · GitHub ↗ · v1.0.0

cross-platform ⚠ suspicious

551

Downloads

Stars

Active Installs

Versions

Install in OpenClaw

/install whatsapp-validate

Description

Check if phone numbers exist in the local Baileys session cache

Usage Guidance

This skill reads your local OpenClaw WhatsApp credential directory (~/.openclaw/credentials/whatsapp/default or the directory set by OPENCLAW_STATE_DIR) and parses session/device files and contacts.json to determine which phone numbers are known. It does not perform network calls in the included code, but the registry/manifest/SKILL.md do not declare the config path or the fact it requires Node. Before installing: - If you plan to use it, verify you have Node and consider running the script manually in a safe environment first (e.g., a throwaway account or VM) to confirm behavior. - If you use the skill with a real WhatsApp account, be aware it reads your session/contacts data — only install if you trust the skill owner and accept local exposure of that data. - Ask the author to update the manifest/SKILL.md to declare required binaries (node) and the exact config path(s) this skill reads (or allow overriding with OPENCLAW_STATE_DIR), and to document privacy considerations. - If you are uncomfortable, do not install or run it against a production account; run it in an isolated environment or inspect/modify the script to limit file reads to a safe test directory.

Capability Analysis

Type: OpenClaw Skill Name: whatsapp-validate Version: 1.0.0 The skill's purpose is to validate phone numbers against a local WhatsApp (Baileys) session cache. The `scripts/validate.js` file accesses the `OPENCLAW_STATE_DIR/credentials/whatsapp/default` directory, which is a sensitive location, but this access is directly aligned with the skill's stated purpose of querying Baileys session data. The script specifically extracts phone numbers from session filenames and a `contacts.json` file, not attempting to exfiltrate actual credential tokens or other unrelated sensitive data. Furthermore, the script includes robust input sanitization (`replace(/\D/g, '')`) for phone numbers, mitigating potential command injection vulnerabilities within the Node.js script itself. The `SKILL.md` provides standard usage instructions without any malicious prompt injection attempts.

Capability Assessment

⚠ Purpose & Capability

The script's purpose (checking the local Baileys/WhatsApp cache) matches the skill name/description, but the skill manifest declares no required config paths or binaries while the code reads files from the user's OpenClaw credentials directory (~/.openclaw/... or OPENCLAW_STATE_DIR). Not declaring access to credential storage is a notable mismatch.

⚠ Instruction Scope

SKILL.md instructs the agent to exec a Node script but does not disclose that the script will read the user's WhatsApp credential directory and contacts.json. The runtime code enumerates session- and device-list files and reads contacts.json — it accesses local sensitive state (WhatsApp session/contacts) even though the instructions do not explicitly call this out.

ℹ Install Mechanism

There is no install spec (instruction-only) which is low risk, but the skill includes a JS script that requires node at runtime. The manifest did not list 'node' as a required binary. This omission is an inconsistency the user should be aware of (you must have Node available to run it).

⚠ Credentials

The code reads from a credential path derived from OPENCLAW_STATE_DIR or the default ~/.openclaw path and loads contacts/session files. The skill declares no required env vars or config paths in the registry metadata. Access to local credential files is sensitive and should have been declared; the requested access is proportionate to the described function but is not advertised in the manifest.

✓ Persistence & Privilege

The skill is not always-included, does not request elevated/persistent privileges, does not modify other skills or system configuration, and contains no autonomous persistence behavior in the code.

How to Use

Make sure OpenClaw is installed (local or Docker)
Run the install command in chat: /install whatsapp-validate
After installation, invoke the skill by name or use /whatsapp-validate
Provide required inputs per the skill's parameter spec and get structured output

Version History

v1.0.0

Initial release. Validates phone numbers against the local Baileys session cache. Supports single number checks, batch validation of multiple numbers, and listing all known WhatsApp numbers. No live API calls needed.

Metadata

Slug whatsapp-validate

Version 1.0.0

License —

All-time Installs 2

Active Installs 2

Total Versions 1

Frequently Asked Questions

What is WhatsApp Validate?

Check if phone numbers exist in the local Baileys session cache. It is an AI Agent Skill for Claude Code / OpenClaw, with 551 downloads so far.

How do I install WhatsApp Validate?

Run "/install whatsapp-validate" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is WhatsApp Validate free?

Yes, WhatsApp Validate is completely free (open-source). You can download, install and use it at no cost.

Which platforms does WhatsApp Validate support?

WhatsApp Validate is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created WhatsApp Validate?

It is built and maintained by Marcos Santos (@marcosrippel); the current version is v1.0.0.

More Skills