wacli-pro
v1.0.0通过 wacli CLI 进行专业 WhatsApp 消息发送。当用户希望代理从其个人 WhatsApp 账户向他人发送消息、搜索 c...
1· 87·0 当前·0 累计
by 安全扫描
OpenClaw
可疑
medium confidenceThe skill's instructions and behavior match a WhatsApp CLI helper, but it omits a clear declaration that the wacli binary (and local WhatsApp auth) is required and has no provenance—this mismatch is a notable inconsistency you should understand before installing.
评估建议
This appears to be a legitimate WhatsApp CLI helper, but it has two practical gaps you should be comfortable with before installing: (1) the manifest does not declare the required 'wacli' binary or explain how local WhatsApp authentication is handled, and (2) there is no source/homepage or publisher info to verify provenance. Before using it: ensure you already have a trustworthy wacli installation, confirm where that tool stores auth tokens and whether you trust it, and verify the skill will on...详细分析 ▾
⚠ 用途与能力
The skill is explicitly a wacli-based WhatsApp messaging helper, but the registry metadata lists no required binaries or credentials. In practice the runtime instructions assume a locally installed and authenticated 'wacli' CLI and access to the user's files (for attachments). The skill should have declared 'wacli' as a required binary and documented how authentication is handled; the omission is an incoherence.
ℹ 指令范围
SKILL.md stays on task: it instructs using wacli commands to list chats, search/backfill history, draft messages, and send text/files, and it enforces confirmation before sending. This will cause the agent to read chat history via wacli and to reference local filesystem paths when attaching files — behavior consistent with the described purpose but also sensitive (it accesses personal chat history and local files).
✓ 安装机制
Instruction-only skill with no install steps or remote downloads, so nothing is written to disk by the skill itself. Low install risk. However, it implicitly depends on an external binary (wacli) which is not declared.
ℹ 凭证需求
The skill requires no environment variables or credentials in the manifest, which is appropriate since auth is handled by the local wacli CLI. That said, the manifest should explicitly document that local wacli authentication/state is required (and where tokens/config live) so users understand what local secrets the skill will rely on.
✓ 持久化与权限
No elevated persistence requested (always:false). The skill does not claim to modify other skills or system-wide settings. Autonomous invocation is allowed (platform default) but not combined with other high-risk flags.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
安装命令
点击复制官方npx clawhub@latest install wacli-pro
镜像加速npx clawhub@latest install wacli-pro --registry https://cn.longxiaskill.com 镜像可用