by 安全扫描
OpenClaw
安全
high confidenceNULL
评估建议
This skill appears coherent: it relies on the Membrane CLI/service to talk to WhatsApp and does not ask for unrelated secrets. Before installing or running: 1) verify you trust getmembrane.com and the npm package @membranehq/cli (check npm page and publisher), 2) avoid installing global packages on sensitive systems or use a sandbox/container, 3) be aware the CLI will open an auth URL (or provide a code) — follow secure login procedures, and 4) confirm what Membrane will have access to in your W...详细分析 ▾
✓ 用途与能力
The name and description are WhatsApp-focused and the SKILL.md consistently instructs use of the Membrane CLI to create connections, list/run actions, and manage WhatsApp data. There are no unrelated credentials, binaries, or config paths requested that would be inconsistent with a WhatsApp integration.
✓ 指令范围
Instructions are limited to installing the Membrane CLI, logging in, creating/listing connections, discovering and running actions, and polling for action build state. The doc does not ask the agent to read arbitrary files, access unrelated environment variables, or exfiltrate data to non-Membrane endpoints. It includes headless and interactive login flows which are appropriate for CLI auth.
ℹ 安装机制
The skill has no formal install spec (instruction-only) but directs the user to install @membranehq/cli via `npm install -g`. Installing a global npm package is a typical but non-trivial step (writes to the system, requires privileges). This is expected for a CLI-based integration but users should confirm the package and source (official @membranehq) before installing.
✓ 凭证需求
The skill declares no required env vars, no primary credential, and no config paths. The SKILL.md explicitly delegates credential handling to Membrane and advises not to ask users for API keys. Requested access is proportionate to a connector-based WhatsApp integration.
✓ 持久化与权限
The skill is not always-on and does not request system-wide persistent configuration. It is default-eligible for autonomous invocation (platform default) but there is no evidence here of the skill seeking elevated persistent privileges or modifying other skills' configs.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.0.32026/3/5
NULL
● 无害
安装命令
点击复制官方npx clawhub@latest install whatsapp-integration
镜像加速npx clawhub@latest install whatsapp-integration --registry https://cn.longxiaskill.com