whatsapp-web
Pass
Audited by Gen Agent Trust Hub on Apr 20, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The
src/browser.pyscript usessubprocess.Popento launch the Google Chrome browser. This is used for legitimate browser lifecycle management, employing security-relevant flags such as--remote-debugging-port,--user-data-dir, and--disable-blink-features=AutomationControlledto ensure an isolated and controlled automation environment. - [PROMPT_INJECTION]: The skill exhibits an indirect prompt injection surface as it reads incoming message content from WhatsApp. This untrusted data is processed by the agent, which also has capabilities to perform actions like sending messages or deleting chats.
- Ingestion points: Incoming messages are read via
src/chat.pyin theread_last_messagesfunction. - Boundary markers: The skill does not implement specific delimiters or instructions to isolate untrusted message content from the agent's instructions.
- Capability inventory: The skill has capabilities including sending messages, creating groups, and deleting chats or groups (
src/chat.py,src/groups.py). - Sanitization: No sanitization of the message text is performed at the script level.
- [SAFE]: No evidence of hardcoded credentials, malicious data exfiltration, or suspicious network activity was found. All browser interactions are restricted to the local Chrome instance and the official WhatsApp Web domain.
Audit Metadata