MCP-INDEX

kahflane/whatsapp-mcpcritical

Give your AI agent a WhatsApp account — an MCP server with 87 tools for reading, sending, groups, status, scheduling & more. Works with Claude, Codex, Cursor, OpenCode & any MCP client.

This MCP server gives AI agents full control over a WhatsApp account, enabling reading, searching, sending, scheduling, and managing messages, groups,...

purpose: This MCP server gives AI agents full control over threat: local with credentials

TypeScript · ★ 1 · Jun 2, 2026 · ⚙ Jun 3, 2026 · GITHUB ↗

heuristic signalsenv.exposure shell.exec filesystem.read browser.automation network.http filesystem.write

RISK SCORE

0/ 100 risk

medium findings+420

capped at100

VULNERABILITY ANALYSIS · 28 findings in 28 blocks0 HIGH · 28 MEDIUM

MEDIUM1 finding

src/tools/broadcast.ts:54

54const statusJidList = recipients.map((r) => (r.includes("@") ? r : phoneToJid(r)));

src/tools/broadcast.ts:54

// Local-only MCP, requires compromised LLM to exploit

EXPLAINThe broadcast tool accepts arbitrary strings as recipients and converts them to JIDs using phoneToJid. There is no validation that the recipients are valid phone numbers or JIDs, nor that they belong to the user's contacts. An attacker could supply arbitrary JIDs or malformed strings, potentially causing unexpected behavior or errors.

IMPACTA compromised LLM could send broadcasts to arbitrary JIDs, including non-existent numbers or internal WhatsApp JIDs, potentially causing errors or abuse of the broadcast feature.

FIXValidate that each recipient is a valid phone number or JID format before sending. Consider checking against the contact list or using wa_check_number before broadcast.

MEDIUM1 finding

// Source file not analyzed: src/tools/write.ts

// Finding inferred from import chain: src/server.ts:38

src/server.ts:38

// Local-only MCP, requires compromised LLM to exploit

EXPLAINThe send tools (wa_send_text, wa_send_media, etc.) likely accept a JID without validation. An attacker could send messages to arbitrary JIDs, potentially enabling spam, phishing, or harassment.

IMPACTA compromised LLM could send messages to any WhatsApp number, including non-contacts, potentially causing abuse or ban.

FIXValidate that the target JID is a valid contact or group, and consider requiring wa_check_number before sending to unknown numbers.

MEDIUM1 finding

// Source file not analyzed: src/tools/read.ts

// Finding inferred from import chain: src/server.ts:37

src/server.ts:37

// Local-only MCP, requires compromised LLM to exploit

EXPLAINThe read tools likely accept chat JIDs without validation. An attacker could read messages from arbitrary chats, potentially accessing private conversations.

IMPACTA compromised LLM could read messages from any chat the account has access to, potentially leaking sensitive information.

FIXValidate that the chat JID is a valid chat and that the user has permission to read it.

MEDIUM1 finding

src/tools/broadcast.ts:49

49async ({ recipients, text }) => {
50      const restricted = sendBlocked();
51      if (restricted) return errorResult(restricted);
52      const blocked = notReady();
53      if (blocked) return errorResult(blocked);
54      const statusJidList = recipients.map((r) => (r.includes("@") ? r : phoneToJid(r)));
55      try {
56        const sent: any = await getSock().sendMessage(
57          "status@broadcast",
58          { text } as any,
59          { statusJidList, broadcast: true } as any,
60        );
61        return textResult(
62          { messageId: sent?.key?.id ?? null, recipients: statusJidList.length },
63          `Broadcast sent to ${statusJidList.length} recipient(s).`,
64        );
65      } catch (e: any) {
66        return errorResult(`broadcast send failed: ${e?.message ?? e}`);
67      }
68    },

src/tools/broadcast.ts:49

// Local-only MCP, requires compromised LLM to exploit

EXPLAINThe wa_send_broadcast tool accepts a list of recipients without validation. An attacker could supply arbitrary JIDs or phone numbers, potentially sending broadcasts to non-contacts or malicious numbers. There is no check that recipients are valid WhatsApp users or that the user has permission to message them.

IMPACTA compromised LLM could send broadcasts to arbitrary numbers, potentially causing spam, harassment, or account ban.

FIXValidate that each recipient is a valid phone number or JID format. Consider checking against the contact list or using wa_check_number before sending.

MEDIUM1 finding

src/tools/autoreply.ts:48

48async (args) => {
49      if (!args.keywords && !args.pattern && !args.exactMatch)
50        return errorResult("provide one matcher: keywords, pattern, or exactMatch");
51      try {
52        const rule = addRule(args);
53        return textResult({ rule, enabled: isEnabled() }, "Rule added.");
54      } catch (e: any) {
55        return errorResult(`could not add rule: ${e?.message ?? e}`);
56      }
57    },

src/tools/autoreply.ts:48

// Local-only MCP, requires compromised LLM to exploit

EXPLAINThe wa_autoreply_add_rule tool accepts a regex pattern without validation. An attacker could inject a malicious regex pattern that causes ReDoS (Regular Expression Denial of Service) or matches unintended messages. The pattern is passed directly to addRule without sanitization.

IMPACTA compromised LLM could add a regex pattern that causes excessive CPU usage when processing messages, potentially causing denial of service or matching unintended messages.

FIXValidate that the regex pattern is safe and does not contain catastrophic backtracking patterns. Consider using a regex parser with timeout.

MEDIUM1 finding

src/tools/broadcast.ts:29

29const info = await sock.getBroadcastListInfo(broadcastJid);

src/tools/broadcast.ts:29

// Local-only MCP, requires compromised LLM to exploit

EXPLAINThe wa_broadcast_info tool accepts a broadcastJid string without any validation. An attacker could pass arbitrary JIDs, potentially causing the server to query non-existent broadcast lists or leak information about internal WhatsApp entities.

IMPACTA compromised LLM could attempt to query arbitrary broadcast JIDs, potentially causing errors or information leakage about broadcast list existence.

FIXValidate that the broadcastJid ends with '@broadcast' and is a valid format before querying.

MEDIUM1 finding

src/tools/broadcast.ts:22

22async ({ broadcastJid }) => {
23      const blocked = notReady();
24      if (blocked) return errorResult(blocked);
25      const sock: any = getSock();
26      if (typeof sock.getBroadcastListInfo !== "function")
27        return errorResult("getBroadcastListInfo not available in this Baileys version");
28      try {
29        const info = await sock.getBroadcastListInfo(broadcastJid);
30        return textResult(info);
31      } catch (e: any) {
32        return errorResult(`broadcast info failed: ${e?.message ?? e}`);
33      }
34    },

src/tools/broadcast.ts:22

// Local-only MCP, requires compromised LLM to exploit

EXPLAINThe wa_broadcast_info tool accepts a broadcastJid without any validation. An attacker could pass arbitrary JIDs, potentially causing the server to query non-existent broadcast lists or leak information about internal WhatsApp entities.

IMPACTA compromised LLM could attempt to query arbitrary broadcast JIDs, potentially causing errors or information leakage about broadcast list existence.

FIXValidate that the broadcastJid ends with '@broadcast' and is a valid format before querying.

MEDIUM1 finding

// Source file not analyzed: src/tools/groups.ts

// Finding inferred from import chain: src/server.ts:44

src/server.ts:44

// Local-only MCP, requires compromised LLM to exploit

EXPLAINThe group management tools (wa_create_group, wa_add_group_member, etc.) likely accept JIDs without validation. An attacker could add arbitrary numbers to groups, create groups with malicious names, or remove members arbitrarily.

IMPACTA compromised LLM could add arbitrary contacts to groups, create groups with offensive names, or remove members, potentially causing social engineering or harassment.

FIXValidate that JIDs are valid and that the user has appropriate permissions. Consider rate limiting group operations.

MEDIUM1 finding

// Source file not analyzed: src/tools/privacy.ts

// Finding inferred from import chain: src/server.ts:47

src/server.ts:47

// Local-only MCP, requires compromised LLM to exploit

EXPLAINThe block/unblock tools likely accept a JID without validation. An attacker could block arbitrary contacts, potentially disrupting communication or causing denial of service.

IMPACTA compromised LLM could block important contacts, potentially causing communication disruption.

FIXValidate that the JID is a valid contact. Consider requiring confirmation before blocking.

MEDIUM1 finding

// Source file not analyzed: src/tools/commerce.ts

// Finding inferred from import chain: src/server.ts:51

src/server.ts:51

// Local-only MCP, requires compromised LLM to exploit

EXPLAINThe commerce tools likely accept product details without validation. An attacker could send fraudulent commerce messages or query commerce information.

IMPACTA compromised LLM could send fake product messages or order messages, potentially enabling scams.

FIXValidate that commerce data is well-formed and that the user has appropriate permissions.

MEDIUM1 finding

// Source file not analyzed: src/tools/calls.ts

// Finding inferred from import chain: src/server.ts:50

src/server.ts:50

// Local-only MCP, requires compromised LLM to exploit

EXPLAINThe wa_get_call_log tool likely returns call logs without validation. An attacker could query call logs for arbitrary JIDs or time periods, potentially leaking sensitive call history.

IMPACTA compromised LLM could retrieve call logs, potentially revealing communication patterns.

FIXEnsure that call log queries are scoped to the user's own data and that no arbitrary JID filtering is allowed.

MEDIUM1 finding

// Source file not analyzed: src/tools/users.ts

// Finding inferred from import chain: src/server.ts:48

src/server.ts:48

// Local-only MCP, requires compromised LLM to exploit

EXPLAINThe user info tools likely accept JIDs without validation. An attacker could query information about arbitrary users, potentially leaking contact details.

IMPACTA compromised LLM could retrieve information about arbitrary contacts, potentially leaking personal data.

FIXValidate that the JID is a valid contact and that the user has permission to view that contact's info.

MEDIUM1 finding

// Source file not analyzed: src/tools/richmsg.ts

// Finding inferred from import chain: src/server.ts:49

src/server.ts:49

// Local-only MCP, requires compromised LLM to exploit

EXPLAINThe rich message tools likely accept arbitrary content without validation. An attacker could send rich messages with malicious content or links.

IMPACTA compromised LLM could send rich messages containing phishing links or malicious content.

FIXValidate that rich message content is safe and does not contain malicious URLs or scripts.

MEDIUM1 finding

// Source file not analyzed: src/tools/status_post.ts

// Finding inferred from import chain: src/server.ts:43

src/server.ts:43

// Local-only MCP, requires compromised LLM to exploit

EXPLAINThe status post tools likely accept arbitrary text or media without validation. An attacker could post offensive or malicious status updates visible to all contacts.

IMPACTA compromised LLM could post inappropriate status updates, potentially damaging reputation or spreading misinformation.

FIXValidate that status text is within reasonable length and does not contain prohibited content. Validate media files.

MEDIUM1 finding

// Source file not analyzed: src/tools/templates.ts

// Finding inferred from import chain: src/server.ts:40

src/server.ts:40

// Local-only MCP, requires compromised LLM to exploit

EXPLAINThe template tools likely accept template content without validation. An attacker could create templates with malicious content or delete existing templates.

IMPACTA compromised LLM could create or delete message templates, potentially disrupting business communications or injecting malicious templates.

FIXValidate template content and restrict deletion to templates created by the user.

MEDIUM1 finding

// Source file not analyzed: src/tools/buttons.ts

// Finding inferred from import chain: src/server.ts:41

src/server.ts:41

// Local-only MCP, requires compromised LLM to exploit

EXPLAINThe button and list message tools likely accept arbitrary button/lists without validation. An attacker could send interactive messages with malicious options.

IMPACTA compromised LLM could send button or list messages with misleading options, potentially enabling phishing.

FIXValidate that button titles and list sections are safe and do not contain malicious content.

MEDIUM1 finding

// Source file not analyzed: src/tools/chatmgmt.ts

// Finding inferred from import chain: src/server.ts:45

src/server.ts:45

// Local-only MCP, requires compromised LLM to exploit

EXPLAINThe chat management tools likely accept JIDs without validation. An attacker could archive, mute, or pin arbitrary chats, potentially disrupting the user's chat organization.

IMPACTA compromised LLM could archive important chats, mute notifications, or pin irrelevant chats, causing confusion or missed messages.

FIXValidate that the JID is a valid chat and that the action is appropriate.

MEDIUM1 finding

// Source file not analyzed: src/tools/contacts.ts

// Finding inferred from import chain: src/server.ts:35

src/server.ts:35

// Local-only MCP, requires compromised LLM to exploit

EXPLAINThe contact tools likely accept JIDs without validation. An attacker could query arbitrary contacts, potentially leaking contact information.

IMPACTA compromised LLM could retrieve contact details for any JID, potentially leaking personal information.

FIXValidate that the JID is a valid contact and that the user has permission to view it.

MEDIUM1 finding

// Source file not analyzed: src/tools/chats.ts

// Finding inferred from import chain: src/server.ts:36

src/server.ts:36

// Local-only MCP, requires compromised LLM to exploit

EXPLAINThe chat tools likely accept JIDs without validation. An attacker could query arbitrary chats, potentially leaking chat metadata.

IMPACTA compromised LLM could retrieve chat details for any chat, potentially leaking conversation metadata.

FIXValidate that the chat JID is a valid chat and that the user has permission to view it.

MEDIUM1 finding

// Source file not analyzed: src/tools/groups.ts

// Finding inferred from import chain: src/server.ts:44

src/server.ts:44

// Local-only MCP, requires compromised LLM to exploit

EXPLAINThe group info tools likely accept group JIDs without validation. An attacker could query information about arbitrary groups, potentially leaking group membership and metadata.

IMPACTA compromised LLM could retrieve group information for any group the account is a member of, potentially leaking sensitive group data.

FIXValidate that the group JID is a valid group and that the user is a member.

MEDIUM1 finding

// Source file not analyzed: src/tools/status.ts

// Finding inferred from import chain: src/server.ts:34

src/server.ts:34

// Local-only MCP, requires compromised LLM to exploit

EXPLAINThe wa_get_status tool likely returns status updates without validation. An attacker could query status updates for arbitrary contacts, potentially leaking private statuses.

IMPACTA compromised LLM could retrieve status updates from contacts, potentially leaking personal information.

FIXEnsure that status queries are scoped to the user's own contacts and that no arbitrary JID filtering is allowed.

MEDIUM1 finding

// Source file not analyzed: src/tools/schedule.ts

// Finding inferred from import chain: src/server.ts:39

src/server.ts:39

// Local-only MCP, requires compromised LLM to exploit

EXPLAINThe schedule management tools likely accept IDs without validation. An attacker could list or cancel scheduled messages for arbitrary IDs, potentially disrupting scheduled communications.

IMPACTA compromised LLM could cancel important scheduled messages or list all scheduled messages, potentially leaking future communication plans.

FIXValidate that the scheduled message ID belongs to the user and that the action is authorized.

MEDIUM1 finding

// Source file not analyzed: src/tools/groups.ts

// Finding inferred from import chain: src/server.ts:44

src/server.ts:44

// Local-only MCP, requires compromised LLM to exploit

EXPLAINThe wa_get_group_invite_link tool likely accepts a group JID without validation. An attacker could request invite links for arbitrary groups, potentially leaking sensitive group information.

IMPACTA compromised LLM could obtain invite links for any group the account is a member of, potentially leaking group access.

FIXValidate that the group JID is a valid group JID and that the user is a member before returning the invite link.

MEDIUM1 finding

// Source file not analyzed: src/tools/schedule.ts

// Finding inferred from import chain: src/server.ts:39

src/server.ts:39

// Local-only MCP, requires compromised LLM to exploit

EXPLAINThe wa_schedule_message tool likely accepts a JID and content without validation. An attacker could schedule messages to arbitrary JIDs with arbitrary content, potentially enabling spam or abuse.

IMPACTA compromised LLM could schedule messages to any JID, including non-contacts, potentially causing spam or harassment.

FIXValidate that the target JID is a valid contact or group, and that the content is appropriate. Consider rate limiting.

MEDIUM1 finding

// Source file not analyzed: src/tools/read.ts

// Finding inferred from import chain: src/server.ts:37

src/server.ts:37

// Local-only MCP, requires compromised LLM to exploit

EXPLAINThe wa_get_media tool likely accepts a message ID and downloads media from WhatsApp servers. Without validation, an attacker could attempt to download media from arbitrary messages, potentially accessing sensitive media files.

IMPACTA compromised LLM could download media from any message in the chat history, potentially accessing private images, videos, or documents.

FIXEnsure that the message ID is validated to belong to a chat the user has access to, and that the media is not restricted.

MEDIUM1 finding

src/tools/autoreply.ts:81

81async ({ id, active, clearAll }) => {
82      if (clearAll) {
83        clearRules();
84        return noteResult("Cleared all rules.");
85      }
86      if (!id) return errorResult("provide id (or clearAll)");
87      if (active != null) {
88        setRuleActive(id, active);
89        return noteResult(`Rule ${id} ${active ? "activated" : "paused"}.`);
90      }
91      const ok = removeRule(id);
92      return ok ? noteResult(`Removed ${id}.`) : errorResult(`no rule ${id}`);
93    },

src/tools/autoreply.ts:81

// Local-only MCP, requires compromised LLM to exploit

EXPLAINThe wa_autoreply_remove_rule tool accepts an id without validation. An attacker could remove arbitrary rules by guessing IDs, or clear all rules with clearAll. This could disrupt auto-reply functionality.

IMPACTA compromised LLM could remove important auto-reply rules or clear all rules, potentially disrupting automated responses.

FIXValidate that the rule ID exists and belongs to the user. Consider requiring confirmation for clearAll.

MEDIUM1 finding

// Source file not analyzed: src/tools/profile.ts

// Finding inferred from import chain: src/server.ts:46

src/server.ts:46

// Local-only MCP, requires compromised LLM to exploit

EXPLAINThe profile update tools (wa_set_profile_name, wa_set_profile_about, wa_set_profile_avatar) likely accept arbitrary strings or file paths without validation. An attacker could set offensive profile information or change the avatar to inappropriate content.

IMPACTA compromised LLM could change the user's profile name, about, or avatar to offensive or misleading content, potentially damaging reputation.

FIXValidate that profile name and about text are within reasonable length and do not contain prohibited content. Validate avatar file path or data.

MEDIUM1 finding

// Source file not analyzed: src/tools/privacy.ts

// Finding inferred from import chain: src/server.ts:47

src/server.ts:47

// Local-only MCP, requires compromised LLM to exploit

EXPLAINThe wa_set_privacy tool likely accepts privacy settings without validation. An attacker could change privacy settings to expose the user's profile photo, last seen, or status to everyone, potentially compromising privacy.

IMPACTA compromised LLM could change privacy settings to expose sensitive information to strangers.

FIXValidate that the privacy settings are valid and within expected values. Consider requiring confirmation for sensitive changes.

◷ 6/3/2026

Findings are produced by automated LLM analysis and may include false positives or miss issues. Verify independently before acting.