WhatsApp Common Groups

Find groups shared between contacts and check group membership

This skill will run a bundled Node script that directly reads your OpenClaw WhatsApp credential folder (OPENCLAW_STATE_DIR or ~/.openclaw/credentials/whatsapp/default) and parses sender-key files and contacts.json to report group membership. The metadata and SKILL.md do not disclose this file access. Before installing or running it: (1) verify you trust the source or inspect scripts yourself, (2) check the exact path and contents of the credentials folder to understand what data would be read, (3) consider running the script manually in a sandbox or on a copy of the credential files, and (4) ask the maintainer to explicitly declare required config paths and env vars and to explain why those files are needed. Note: the script does not make network calls or upload data itself — it prints results to stdout, but whatever receives the output (agent logs, remote backend) could expose this information, so treat outputs as sensitive.

Type: OpenClaw Skill Name: whatsapp-common-groups Version: 1.0.0 The skill accesses sensitive WhatsApp credential and state files (e.g., `sender-key-*`, `contacts.json`) located in `OPENCLAW_STATE_DIR/credentials/whatsapp/default`. While this access is necessary for the skill's stated purpose of managing WhatsApp groups and members, direct interaction with credential files is a high-risk operation. The `SKILL.md` instructs the agent to use `exec({ cmd: "node <skill_dir>/scripts/common.js COMMAND [ARGS]" })`, which could introduce a shell injection vulnerability if the OpenClaw agent does not properly sanitize `COMMAND` and `ARGS` before execution. However, the `common.js` script itself does not exhibit malicious intent, such as data exfiltration to external endpoints or persistence mechanisms; it processes the data and outputs it to `stdout` as JSON.