Latest release: v2026.5.28Download zip
Capabilities
Compatibility
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
The package purpose is coherent: an official @openclaw WhatsApp channel plugin that links WhatsApp Web, receives and sends chats, handles media, reactions, polls, setup, and approvals within OpenClaw.
Instruction Scope
The runtime touches sensitive chat content, attachments, voice notes, and approval reactions, but these flows are tied to the WhatsApp channel purpose; messageReceived plugin hooks are explicitly opt-in and approvals require configured approvers and approval routing.
Install Mechanism
The artifact is a normal npm-pack OpenClaw plugin with declared runtime/setup entries, no package lifecycle install scripts, and activation.onStartup set to false in the manifest.
Credentials
Network access to WhatsApp Web, local auth state, media handling, and ambient HTTP(S)_PROXY support are proportionate for this connector, but operators should control proxy environment variables, logs, and storage permissions.
Persistence & Privilege
The plugin persists WhatsApp auth credentials, media/session-related state, and temporary approval reaction bindings; this is disclosed by its channel setup/auth behavior and includes managed logout safeguards, but it is privacy-sensitive.
Scan Findings in Context
[SDI-2] expected: Inbound media download and local persistence were verified; this is expected for a WhatsApp attachment-capable channel, though retention and filesystem access should be managed.
[SDI-2] expected: Audio attachments can be passed to transcription when present; this is purpose-aligned for processing voice notes but creates derived sensitive text.
[SDI-2] expected: Approval reaction handling is present, but it is bound to approval prompt targets and checks configured approvers before resolving exec or plugin approvals.
[SDI-2] expected: Outbound media loading from URLs or host files is part of message sending; local file access depends on a supplied readFile/mediaAccess capability rather than an unconditional hidden file reader.
[SQP-2] expected: Inbound message bodies and media metadata are logged for operational handling; this is not exfiltration, but log privacy and retention matter.
[SQP-2] expected: The duplicate media-persistence concern is real but purpose-aligned for attachment handling and bounded by configured media size limits.
[SQP-2] expected: The duplicate audio-transcription concern is real but tied to voice-note processing, not an unrelated data flow.
[SQP-2] expected: Ambient proxy inheritance was verified for WebSocket/media traffic; it is a common network-runtime behavior and logs when used, but administrators should avoid untrusted proxy environment values.
[SQP-2] expected: The messageReceived hook can expose inbound message payloads to loaded plugins only when the documented pluginHooks.messageReceived setting is enabled.
Assessment
Install only if you are comfortable linking a WhatsApp Web session to OpenClaw. Use a separate WhatsApp number when possible, keep allowlists tight instead of open access, review log retention because messages and media metadata may appear in logs, protect the auth/media storage directories, and enable messageReceived hooks only for plugins you trust with chat contents.