OpenClaw WhatsApp

WhatsApp bridge for OpenClaw — send/receive messages, auto-reply agents, QR pairing, message search, contact sync

Before installing, inspect the remote install.sh on GitHub (do not run curl | bash blindly). Verify what that installer writes (binaries, systemd unit, network endpoints) and whether the binary is signed or from a trustworthy source. Note the included scripts will copy files to /usr/local/bin and enable a user systemd service — that requires elevated privileges and creates persistent processes. The relay scripts pass WhatsApp message contents (including recent history) into your local openclaw agent via a generated prompt; if your agent is allowed to perform actions (or has network access), those message contents could be used to trigger external actions. Check and limit the system_prompt, allowlist/blocklist, and any webhooks you configure. If you want to reduce risk: (1) run the installer in a sandbox or review/replicate its steps manually, (2) install binaries to a user-owned directory instead of /usr/local/bin, (3) run the bridge under an unprivileged user account and inspect logs, (4) set OC_WA_* env vars explicitly and limit system_prompt capabilities, and (5) confirm the GitHub repo and author (0xs4m1337) are trustworthy or host your own vetted build.

Type: OpenClaw Skill Name: openclaw-whatsapp Version: 0.3.0 The skill bundle contains a critical shell injection vulnerability in `scripts/wa-notify-worker.sh`. The `$jid` variable, derived from user-controlled WhatsApp messages, is directly embedded into a `curl` command's URL without proper sanitization, allowing an attacker to execute arbitrary shell commands on the host system. Additionally, the `SKILL.md` instructs users to install the main binary via `curl | bash` from a remote GitHub URL, posing a supply chain risk. The skill also presents a prompt injection surface against the OpenClaw agent, as user-controlled message content is incorporated into the prompt.