← 返回 Skills 市场
zero-astro

WhatsApp HappyBDay

作者 zero-astro · GitHub ↗ · v1.0.2 · MIT-0
cross-platform ⚠ suspicious
109
总下载
0
收藏
0
当前安装
3
版本数
在 OpenClaw 中安装
/install whatsapp-happybday
功能描述
Monitor WhatsApp groups to dynamically detect people who should be congratulated. It identifies keywords (e.g., "birthday", "congratulations") and the person...
安全使用建议
What to consider before installing: - Metadata mismatch: the skill's declared required env vars omit BIRTHDAY_SKIP_LIST (used by the code) and incorrectly lists BIRTHDAY_MIN_MESSAGES as the primary credential — treat these as errors in the package metadata. - Command-injection risk: the script uses subprocess.run(..., shell=True) and builds shell commands containing group JIDs and generated messages (which can include extracted names from chat text). Untrusted group content could be crafted to inject shell commands. Before enabling the skill (especially with BIRTHDAY_SIMULATE=false), either: (a) review and harden the code to use subprocess.run([...], shell=False) or properly escape/quote inputs, or (b) sandbox execution (container) and keep it in simulation mode. - Simulation first: keep BIRTHDAY_SIMULATE=true and test extensively. Inspect messages.json and scoring_words.json defaults and your skip list to avoid unwanted sends. - Dependency and runtime: ensure python-dotenv is installed in the environment the agent will run in; the script exits if dotenv is missing. The script also contains a hardcoded user-site path fallback which is odd but not critical. - Autonomy and cron: because the skill is intended for periodic autonomous runs, only enable it if you are comfortable with an automated agent sending messages on your behalf. If you need help making the subprocess usage safe, seek a code fix that removes shell=True and uses argument lists, or that sanitizes user-derived strings before embedding them into shell commands.
功能分析
Type: OpenClaw Skill Name: whatsapp-happybday Version: 1.0.2 The skill automates WhatsApp congratulations using the `wacli` tool, but contains a significant shell injection vulnerability in `scripts/whatsapp_happybday.py`. The script uses `subprocess.run` with `shell=True` to execute commands constructed from external data (such as group JIDs) without sanitization. Additionally, the code includes hardcoded local developer paths and redundant environment checks. While the behavior aligns with the stated purpose and no clear malicious intent or exfiltration was found, the high-risk command execution logic is a critical security flaw.
能力评估
Purpose & Capability
The code and SKILL.md match the stated purpose (uses wacli to read group messages, scores them, identifies names, and optionally sends replies). However the registry metadata is odd: primaryEnv is set to BIRTHDAY_MIN_MESSAGES (not a credential) and the declared required env vars omit BIRTHDAY_SKIP_LIST which the script and docs expect. That metadata mismatch is surprising and should be corrected.
Instruction Scope
The runtime instructions ask the agent to sync wacli, run the Python script, and create cron jobs — all coherent for the stated feature. But the SKILL.md and script use additional environment variables (e.g., BIRTHDAY_SKIP_LIST) that are not listed in requires.env. The instructions push for autonomous periodic execution and precise heartbeat behavior, which is fine for monitoring but increases risk if the script can execute arbitrary shell commands (see install_mechanism and environment_proportionality).
Install Mechanism
No install spec (instruction-only) and a small requirements.txt (python-dotenv). That is low risk in principle. However the script itself shells out to wacli via subprocess.run(..., shell=True) with interpolated values (group JIDs and generated messages). Because message content and names are derived from group text, this creates a command-injection risk if inputs aren't sanitized. The skill does not show any escaping/quoting safeguards.
Credentials
The skill only needs local access to wacli and a few configuration/environment variables, which is proportionate — but the registry lists only three required env vars while the SKILL.md and script rely on others (e.g., BIRTHDAY_SKIP_LIST). Marking BIRTHDAY_MIN_MESSAGES as primary credential is incorrect and misleading. Also simulation mode defaults to true (safer), but turning it off will cause the script to send messages; you should review and limit who/what it can message before disabling simulation.
Persistence & Privilege
The skill does not request always:true and does not require system-wide privileges. It writes its own state file under ~/.openclaw/skills/whatsapp-happybday/data which is expected for state tracking. Autonomous invocation is allowed (default) which is normal for skills, but combined with other concerns (shelling out with user-derived content) increases blast radius.
如何使用
  1. 确保已安装 OpenClaw(本地或 Docker 部署)
  2. 在对话框中输入安装命令:/install whatsapp-happybday
  3. 安装完成后,直接呼叫该 Skill 的名称或使用 /whatsapp-happybday 触发
  4. 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.2
Fixed primaryEnv metadata (removed misleading BIRTHDAY_SKIP_LIST), unified silence response to HEARTBEAT_OK across all documentation, added default values for env vars
v1.0.1
Cleaned repository by removing unnecessary virtual environment files from the git history
v1.0.0
Initial release of WhatsApp HappyBDay. - Monitors WhatsApp groups to detect when someone should be congratulated. - Uses a score-based system for identifying birthdays/congratulatory events and extracts the recipient’s name. - Sends random, customizable congratulatory messages with support for simulation/testing mode. - Supports full customization with JSON dictionaries for keywords and messages. - Designed for easy integration with OpenClaw agent automation and includes setup instructions for environment variables and scheduling.
元数据
Slug whatsapp-happybday
版本 1.0.2
许可证 MIT-0
累计安装 0
当前安装数 0
历史版本数 3
常见问题

WhatsApp HappyBDay 是什么?

Monitor WhatsApp groups to dynamically detect people who should be congratulated. It identifies keywords (e.g., "birthday", "congratulations") and the person... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 109 次。

如何安装 WhatsApp HappyBDay?

在 OpenClaw 或 Claude Code 对话框中运行命令「/install whatsapp-happybday」即可一键安装,无需额外配置。

WhatsApp HappyBDay 是免费的吗?

是的,WhatsApp HappyBDay 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。

WhatsApp HappyBDay 支持哪些平台?

WhatsApp HappyBDay 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。

谁开发了 WhatsApp HappyBDay?

由 zero-astro(@zero-astro)开发并维护,当前版本 v1.0.2。

推荐 Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463556 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259610 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200551 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191226 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190235 · by oswalpalash

💬 留言讨论