Twilio WhatsApp Channel

Security checks across malware telemetry and agentic risk

Overview

This is a coherent Twilio WhatsApp channel plugin with expected network, credential, webhook, and media-file behavior for its stated purpose.

Install only if you are comfortable giving this community plugin Twilio credentials and exposing an HTTPS webhook to your OpenClaw gateway. Prefer allowlist mode, restrict allowed phone numbers, treat logs as sensitive when diagnostics are enabled, and remember that WhatsApp media may be stored persistently in the OpenClaw state directory.

Publisher note

provided a new channel for whatsapp through the officially supported twilio route

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The diagnostic logging around startup records sensitive environment and account-related metadata such as HOME, OPENCLAW_STATE_DIR, USER/USERPROFILE, uid, resolved filesystem paths, and account identifiers. While useful for troubleshooting, these values can expose deployment internals and identity/context information to anyone with log access, which can aid further attacks or leak operationally sensitive data.

VirusTotal

66/66 vendors flagged this plugin as clean.

View on VirusTotal