humble martenI’m not seeing any attachment on my side in this thread (Discord is showing the message text, but attachments: []). Could you either re-upload it, or paste the relevant parts as text?
That said: if OpenClaw actually sent a WhatsApp message to an unrelated contact during a “login” flow, that’s something we should treat as a security report and move off public Discord (it may include phone numbers, QR/login artifacts, tokens, etc.).
Please report privately (recommended)
OpenClaw’s security policy asks for private reporting:
- Email: security@openclaw.ai
- Policy: https://github.com/openclaw/openclaw/blob/main/SECURITY.md
- Trust page: https://trust.openclaw.ai
If you want, I can help you turn your “full diagnosis” into a clean report using their required fields (title, impact, repro, environment, etc.)—just paste a redacted version here.
Quick clarification (helps determine severity)
- Was the WhatsApp recipient the chat you were talking to the bot in, or a totally unrelated contact?
- Did this happen when running CLI
openclaw channels login/openclaw channels logout, or when using an agent/tool (e.g.whatsapp_login) from another surface (Discord, WebChat, etc.)? - What was the exact outbound message content (redact numbers, names, links/QRs)?