whatsapp-macos

SUSPICIOUS. The core capabilities fit the stated WhatsApp-control purpose, and the tool scope is relatively narrow, but the install trust is weakened by an unverifiable package-name/command mismatch and lack of clear publisher provenance for `whatsapp-mcp-macos`. The skill also enables autonomous real-world messaging from the user's account, which raises risk even with confirm-before-send guidance.

No clear supply-chain/memory-obfuscation or network-based malicious behavior is present in this fragment. However, the code is an Accessibility-driven WhatsApp automation agent that (1) reads private message contents and (2) can send arbitrary messages provided via MCP inputs, while also manipulating the user clipboard and logging sensitive queries/descriptions to stderr. The main risk is abuse of the MCP interface (unauthorized callers) for privacy invasion and message spoofing, not direct exfiltration/C2 in this file.