@openclaw/whatsapp No license 9 versions

@openclaw/whatsapp

npm Repository Homepage

OpenClaw WhatsApp channel plugin

9

Versions

—

License

No

Install Scripts

Verified

Provenance

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures gitHead linked

Maintainers

steipetevincentkoc

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
semgrep	semgrep:etc-passwd-access	AI (semgrep): Appears only in a test asserting path-traversal is blocked; not runtime credential harvesting.	ai	2026/05/09
semgrep	semgrep:base64-decode	AI (semgrep): Test-only: decodes a QR PNG to verify its magic bytes; no payload hiding.	ai	2026/05/09
semgrep	semgrep:shady-links-raw-ip	AI (semgrep): Test fixture using 127.0.0.1 to assert private-network requests are blocked.	ai	2026/05/09
phantom-deps	phantom-dep:jimp	AI (phantom-deps): jimp is declared in dependencies and used via config/indirect import; stable false positive for this package.	ai	2026/05/09

Versions (showing 9 of 9)

Version	Deps	Published
2026.5.20	5 / 2	2026-05-21
2026.5.19	5 / 2	2026-05-20
2026.5.12	6 / 2	2026-05-14
2026.5.7	5 / 2	2026-05-07
2026.5.6	5 / 2	2026-05-06
2026.5.5	5 / 2	2026-05-06
2026.5.4	5 / 2	2026-05-05
2026.5.3	5 / 2	2026-05-04
2026.5.2	5 / 2	2026-05-02

v2026.5.20

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v2026.5.19

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v2026.5.12

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v2026.5.7

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v2026.5.6

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v2026.5.5

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v2026.5.4

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v2026.5.3

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v2026.5.2

2 findings

HIGH etc-passwd-access: src/accounts.test.ts:13 semgrep

Accessing /etc/passwd or /etc/shadow — credential harvesting on Linux Source: https://github.com/openclaw/openclaw/blob/8842a5bd43a6874c86645d00dab80611a94d5850/src/accounts.test.ts#L13 11 | const { authDir } = resolveWhatsAppAuthDir({ 12 | cfg: stubCfg, > 13 | accountId: "../../../etc/passwd", 14 | }); 15 | // Sanitized accountId must not escape the whatsapp auth directory.

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.