← 返回 Skills 市场

Jentic WhatsApp QR

Name: Jentic WhatsApp QR
Author: seanblanchfield

作者 Sean Blanchfield · GitHub ↗ · v1.3.0

cross-platform ⚠ suspicious

417

总下载

当前安装

版本数

在 OpenClaw 中安装

/install jentic-whatsapp-qr

功能描述

Generate a clean WhatsApp pairing QR code PNG from a running OpenClaw agent and deliver it to the user via any channel. Use when a user asks to link WhatsApp...

使用说明 (SKILL.md)

WhatsApp Link

Captures the WhatsApp pairing QR, converts it to a clean PNG on disk, and sends it to the user.

⚠️ The QR expires in ~60 seconds. Only generate it when the user is ready to scan immediately.

⚠️ The script takes ~25–28 seconds to run (WhatsApp-controlled — this cannot be shortened). Tell the user upfront so they're not waiting in silence.

Tell the user: "Have WhatsApp open, go to Settings → Linked Devices → Link a Device. It'll take about 30 seconds to generate — let me know when you're ready." Wait for their confirmation before proceeding.

Steps

1. Fire the script immediately — as your very first action after confirmation:

python3 ./skills/jentic-whatsapp-qr/scripts/generate_qr.py /tmp/whatsapp_qr.png

⚡ Do not fetch thread context, read other files, or do any other work before starting the script. Every second of delay eats into the 60s QR window. Start the exec first, then do anything else while it runs.

The script forks a background process to keep the session alive for ~55s
It exits immediately once the PNG is written (stdout = file path, stderr = progress)
Exit code 0 = success; exit code 1 = error (already linked, failed, etc.)

2. Send the file to the user:

# Default (non-Mattermost, or Mattermost main channel):
# Use message tool:
# action: send
# media: "/tmp/whatsapp_qr.png"
# message: "Scan this in WhatsApp → Settings → Linked Devices → Link a Device. You have about 60 seconds!"

Mattermost thread delivery

If you are in a Mattermost thread (inbound metadata has topic_id or reply_to_id), the message tool cannot post files into threads. Use the Mattermost API directly:

SHIRKA_TOKEN=$(python3 -c "import json; print(json.load(open('/root/.openclaw/openclaw.json'))['env']['vars']['JENTIC_MM_SHIRKA_TOKEN'])")

# 1. Upload the file
FILE_ID=$(curl -s -X POST "https://mattermost.claw.jentic.ai/api/v4/files" \
  -H "Authorization: Bearer $SHIRKA_TOKEN" \
  -F "channel_id=CHANNEL_ID" \
  -F "files=@/tmp/whatsapp_qr.png;filename=whatsapp_qr.png" \
  | python3 -c "import json,sys; r=json.load(sys.stdin); print(r['file_infos'][0]['id'])")

# 2. Post into the thread
curl -s -X POST "https://mattermost.claw.jentic.ai/api/v4/posts" \
  -H "Authorization: Bearer $SHIRKA_TOKEN" \
  -H "Content-Type: application/json" \
  -d "{
    \"channel_id\": \"CHANNEL_ID\",
    \"root_id\": \"TOPIC_ID\",
    \"message\": \"Scan this now — you have ~60 seconds. WhatsApp → Settings → Linked Devices → Link a Device 👇\",
    \"file_ids\": [\"$FILE_ID\"]
  }"

Replace CHANNEL_ID with the channel from inbound metadata and TOPIC_ID with topic_id (or reply_to_id).

3. Tell the user:

"Scan that QR code in WhatsApp now — it expires in about 60 seconds. Once you've scanned it, WhatsApp will confirm the link. If it expires before you scan, just ask me to generate a new one."

Notes

generate_qr.py handles capture, filtering, and PNG conversion internally
qr_decode.py is a standalone utility used by generate_qr.py — no need to call it directly
Use media: "/tmp/whatsapp_qr.png" to send the file — never pass base64 image data through context
If already linked, the script exits with code 1 and an error message — no QR needed
Works on any channel (Mattermost, Signal, etc.) — message tool routes to current conversation
Set COLUMNS=120 is handled internally by the script
Interactive testing: run the script manually and open the PNG to verify before distributing

Interactive test (console)

# Run directly — stderr shows progress, stdout shows output path on success
python3 skills/jentic-whatsapp-qr/scripts/generate_qr.py /tmp/test_qr.png

# Then open/view the PNG to verify it's a proper square QR code
ls -lh /tmp/test_qr.png

安全使用建议

This skill’s core code to capture and convert a WhatsApp QR looks coherent and consistent with its description. The main concern is that the SKILL.md shows reading an internal OpenClaw config file (/root/.openclaw/openclaw.json) to pull a Mattermost bearer token (JENTIC_MM_SHIRKA_TOKEN) and using it to upload the PNG into a thread — but the skill metadata declares no required credentials or config paths. Before installing or running this skill: 1) Confirm you trust the skill author and the internal domain (mattermost.claw.jentic.ai). 2) Ask the author to declare any required config paths or environment variables (or change the workflow to require the user to supply a token explicitly) so you can review and grant only the needed permission. 3) If you do not want the skill to read agent config, run the script manually yourself (outside autonomous invocation) and deliver the PNG via your normal chat/file tools. 4) Inspect /root/.openclaw/openclaw.json on a test agent to see what token would be exposed and restrict access if necessary. 5) Prefer running the script interactively the first time to verify behavior rather than allowing autonomous runs. If the author clarifies and declares the token usage (or modifies the skill to avoid reading internal tokens), the incoherence would be resolved.

功能分析

Type: OpenClaw Skill Name: jentic-whatsapp-qr Version: 1.3.0 The skill is classified as suspicious due to its direct instruction to the AI agent to read a sensitive configuration file (`/root/.openclaw/openclaw.json`) to extract an API token, as seen in `SKILL.md`. While this token (`JENTIC_MM_SHIRKA_TOKEN`) is used for the stated purpose of delivering the QR code via Mattermost to `https://mattermost.claw.jentic.ai`, the capability to access such sensitive files and make external network calls represents a significant vulnerability if the agent could be prompted to read other secrets or exfiltrate data to arbitrary endpoints. The code itself (`generate_qr.py`, `qr_decode.py`) appears to be functional and not inherently malicious, but the agent's instructions in `SKILL.md` demonstrate risky capabilities.

能力评估

⚠ Purpose & Capability

The scripts' behavior (running `openclaw channels login --channel whatsapp`, capturing terminal output, converting block-character QR to PNG) matches the stated purpose. However, the SKILL.md also shows reading /root/.openclaw/openclaw.json to extract JENTIC_MM_SHIRKA_TOKEN for Mattermost thread uploads. The skill metadata declares no required config paths or credentials, so the documented access to an agent config file is inconsistent and unexplained.

⚠ Instruction Scope

SKILL.md correctly instructs immediate execution of the capture script to avoid QR expiry. But it also includes an inline python command that reads the agent's OpenClaw config file to obtain a Mattermost token and curl commands that post files to https://mattermost.claw.jentic.ai. That requires reading sensitive agent-local state and calling an external API — behavior outside the minimal QR-capture scope and not declared in requirements. The README's admonition not to read files before starting is contradicted by the token-read step required for thread delivery.

✓ Install Mechanism

This is an instruction-only skill with two small local Python scripts and no install spec. Nothing is downloaded from external URLs and no install actions are defined, which is the lower-risk model for skills.

⚠ Credentials

No env vars or config paths are declared, yet the SKILL.md demonstrates reading /root/.openclaw/openclaw.json to extract JENTIC_MM_SHIRKA_TOKEN. Accessing an agent config file and bearer token is disproportionate unless the skill explicitly requires permission to use that token. The code itself does not exfiltrate data, but the instructions show how to reuse an internal token to post to a Mattermost API — this is sensitive and should be declared and authorized explicitly.

✓ Persistence & Privilege

The skill does not request always:true and does not modify other skills or system-wide settings. The generate_qr.py forks a child to keep the login session alive for ~55s, which is expected behavior for this task.

如何使用

确保已安装 OpenClaw（本地或 Docker 部署）
在对话框中输入安装命令：/install jentic-whatsapp-qr
安装完成后，直接呼叫该 Skill 的名称或使用 /jentic-whatsapp-qr 触发
根据 Skill 的参数说明提供必要输入，即可获得结构化输出

版本历史

v1.3.0

Start script immediately on confirmation (no pre-flight delays). Add Mattermost thread delivery via API. Document 25-28s script timing so users aren't surprised.

v1.2.0

Fix qr_decode.py: add argparse (--raw, --scale, --quiet), ANSI stripping, QR line filtering, remove duplicate code. Fixes crash on --raw flag and garbage-line inflation.

v1.1.0

Fix: use exec(pty=True) instead of script -q -c capture; remove Shirka-specific channel IDs from notes; correct skill name/description

元数据

Slug jentic-whatsapp-qr

版本 1.3.0

许可证 —

累计安装 0

当前安装数 0

历史版本数 3

常见问题