2.0 KiB
2.0 KiB
2026-02-13 - Investigation Notes
WhatsApp Privacy Leak - CHANNEL NAMES EXPOSED
Problem
Anthony seeing channel names (like "fumos") from community groups - privacy concern.
Root Cause Found
WhatsApp Channels (@broadcast) are being synced to credentials:
- Location:
/home/openclaw/.openclaw/credentials/whatsapp/default/ - Files:
sender-key-status@broadcast--*files - These indicate participation in WhatsApp Channels (Meta's broadcast feature)
- Filenames expose channel/group IDs
Technical Details
- Found 3 @broadcast files:
sender-key-status@broadcast--61481283201--0.json(623 bytes)sender-key-status@broadcast--6281936360900--0.json(2979 bytes)sender-key-status@broadcast--6282340396632--0.json(1807 bytes)
- These contain sender keys for WhatsApp Channels
- Channel names are being exposed somewhere in the WhatsApp plugin UI or chat list
Possible Sources of Leak
- WhatsApp plugin auto-syncs channel metadata
- Chat list/cache contains channel names
- Plugin discovery feature lists all available chats on connection
Fix Options Presented to Anthony
- Option A: Temporarily disable WhatsApp plugin
- Option B: Clear @broadcast channel data from credentials
- Option C: Configure restrictive settings to prevent channel discovery/sync
Status
Pending Anthony's decision on which fix approach to take.
Backup Gap Investigation (Continued)
Confirmed Missing from Backups
/home/openclaw/.openclaw/cron/- all cron jobs (Morning Briefing, Daily Backup)/home/openclaw/.openclaw/openclaw.json- gateway and model config/home/openclaw/.openclaw/skills/- installed skills
Cron Jobs Status
- Morning Briefing: ✅ Recreated at 7:05 AM daily
- Daily Backup: ✅ Running at 2 AM daily
Files Involved
- Cron file:
/home/openclaw/.openclaw/cron/jobs.json - Backup script:
/home/openclaw/.openclaw/workspace/scripts/backup-to-gittea.sh - Backup repo:
http://gitea.kangaroo-eel.ts.net:3000/Anthony/openclaw-backup.git