The Agent Skills Directory

[COMMAND_EXECUTION]: The skill executes shell commands via the /usr/bin/open binary in Sources/WhatsAppMCP/main.swift to launch the WhatsApp application. Additionally, the package.json file includes a postinstall script that executes swift build. These are legitimate uses of command execution for application lifecycle management and compilation.
[PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection (Category 8). It retrieves untrusted data from incoming WhatsApp messages through the handleReadMessages and handleGetActiveChat functions in Sources/WhatsAppMCP/main.swift. The skill lacks boundary markers or sanitization logic to prevent embedded instructions in these messages from influencing the agent's behavior. Combined with the skill's capabilities (e.g., handleSendMessage, handleNavigate, and handleQuit), this creates a surface where a malicious message could attempt to manipulate agent actions. Sanitization is limited to the cleanUnicode function, which only removes non-printing control characters.
[EXTERNAL_DOWNLOADS]: The build process fetches several external dependencies defined in Package.swift and Package.resolved, including the MacosUseSDK from a third-party GitHub repository. These downloads are performed by the Swift Package Manager as part of the standard build and installation workflow.

whatsapp-macos