DEV Community

Cover image for I thought the safest WhatsApp code assistant was the one that knew my whole repo. That was the mistake
Lars Winstand
Lars Winstand

Posted on • Originally published at standardcompute.com

I thought the safest WhatsApp code assistant was the one that knew my whole repo. That was the mistake

#ai #security #developers #openclaw

A while back, I was digging through discussions about private-code assistants and found a post on r/openclaw that immediately changed how I think about chat-based code agents.

The setup sounded reasonable:

  • new phone number just for WhatsApp
  • assistant connected to proprietary source code
  • goal was to answer questions in a group chat

Then came the line that turned this from a convenience problem into an architecture problem:

“I intend to ask questions ... in a group with people who are not supposed to have direct access to the source code.”

That is exactly the kind of thing teams try to build.

It is also where a code assistant stops being "helpful" and starts becoming a containment problem.

Not because WhatsApp is uniquely bad.
Not because OpenClaw is bad.
Not because Claude, GPT-5, Qwen, or Llama are bad.

The issue is simpler:

If your agent can see too much, your chat surface can leak too much.

And there’s a second problem right behind it for anyone running agents at scale:

the safer architecture often creates more inference calls.

Retrieval-heavy workflows on WhatsApp, Slack, Discord, OpenClaw, n8n, Make, Zapier, or custom agent stacks branch, retry, summarize, and retrieve constantly. Under per-token pricing, the safer design can also be the more expensive design.

That’s why this topic matters for both security and cost.

The real risk is not transport encryption

People love to focus on transport security because it feels concrete.

WhatsApp has end-to-end encryption. Good. That matters.

But once a message leaves the WhatsApp client and hits your gateway, then OpenClaw, then a model with tools attached, you are dealing with application-layer exposure, not just encrypted transport.

That is where the actual leaks happen:

  • prompt injection
  • indirect prompt injection from code comments, docs, or commit messages
  • over-broad filesystem access
  • logs and traces
  • long-lived memory
  • accidental quoting into group chats
  • tool misuse

OWASP’s LLM guidance is very clear here: the dangerous part is unauthorized data access and exfiltration through the agent’s own permissions and context handling.

So no, “but WhatsApp is encrypted” is not the answer.

The real question is:

What can this agent see at all?

Once you ask that, the architecture gets stricter fast.

The best fix is to make the agent dumber by default

This is the part people resist.

It feels like you are weakening the assistant.

For proprietary code in a consumer chat surface, I think that instinct is wrong.

The safer design is usually also the better design:

  • don’t preload the whole repo into memory
  • don’t give the WhatsApp-connected agent broad repo awareness
  • don’t mount everything and hope prompting will save you
  • keep the codebase behind retrieval

Instead:

  1. Index the repo.
  2. Retrieve only the snippets needed for the question.
  3. Answer from retrieved context.
  4. Keep the session narrow.

That is not a downgrade. It is a cleaner boundary.

And for automation teams, this matters for cost too.

A retrieval-first setup is safer because it narrows exposure. But it also tends to generate lots of smaller model calls. If you are doing this across OpenClaw, n8n, Make, Zapier, or custom agents, flat-rate API access is a much better fit than per-token billing.

You should not have to choose between safer architecture and predictable cost.

Broad memory is convenience disguised as risk

I also ran into another r/openclaw thread about agent memory that nailed a related issue.

One user described a memory setup with:

  • 80+ markdown files
  • 5 million characters of memory

Another commenter said they solved it by building a RAG MCP server so the agent could search memory and pull only the relevant context.

That was framed as a quality and performance fix.

For proprietary-code assistants, it is also a security fix.

A giant memory blob is not just messy context. It is pre-exposed internal knowledge.

If your WhatsApp assistant already “knows” the whole repo because you stuffed it into memory, every conversation starts from an unsafe baseline.

Retrieval changes the shape of the risk:

  1. The repo stays behind an index.
  2. The agent fetches only what the question needs.
  3. You can audit what was retrieved.
  4. The chat session is not carrying around a giant backpack of proprietary context.

That is a much better default.

OpenClaw already gives you the right controls

One thing I like about OpenClaw’s WhatsApp setup is that it treats channel configuration like a security boundary, not just onboarding.

That is the right mindset.

Useful controls include:

  • pairing requests expire after 1 hour
  • pending pairing requests are capped at 3 per channel
  • docs recommend a dedicated WhatsApp number
  • dmPolicy can be set to allowlist
  • groupPolicy can be set to allowlist
  • specific senders and groups can be approved explicitly

For an internal assistant, this is the sort of config I would actually ship:

{
  "channels": {
    "whatsapp": {
      "dmPolicy": "allowlist",
      "allowFrom": ["+15551234567"],
      "groupPolicy": "allowlist",
      "groupAllowFrom": ["+15551234567"]
    }
  }
}
Enter fullscreen mode Exit fullscreen mode

And the operational flow is straightforward:

openclaw channels add --channel whatsapp --account work --auth-dir /path/to/wa-auth
openclaw channels login --channel whatsapp --account work
openclaw pairing list whatsapp
openclaw pairing approve whatsapp <CODE>
Enter fullscreen mode Exit fullscreen mode

If that feels stricter than expected, good.

That is exactly what you want when the assistant is connected to proprietary code.

A dedicated WhatsApp identity plus allowlists gives you:

  • cleaner routing boundaries
  • fewer accidental contexts
  • less self-chat confusion
  • lower chance of the bot responding in the wrong place

But channel isolation is only half the story.

The next failure mode is tool access.

For private code over WhatsApp, OpenClaw + RAG beats broad repo exposure

I’ll say this directly:

For this use case, OpenClaw with retrieval over indexed code beats broad repo exposure every time.

There are tools that are great when a developer is sitting in their own editor on their own machine with normal repo access.

That is not the same environment as a WhatsApp group where some participants should not see source code.

For proprietary code over chat, the winning setup is the one that:

  • knows less by default
  • retrieves narrowly
  • can be fenced with allowlists
  • uses read-only access
  • exposes only the minimum context needed to answer

That means OpenClaw plus RAG-style retrieval is a better fit than any setup that starts by giving the assistant broad awareness of the full repository.

Claude Code has the better security instinct

Anthropic’s Claude Code docs point in a direction I think more teams should copy.

The security instinct is right:

  • read-only by default
  • explicit approval for higher-risk actions
  • tighter filesystem boundaries
  • shell and file edits treated as real escalations

If your agent is answering code questions in WhatsApp, it probably does not need:

  • shell execution
  • browser access
  • process control
  • broad filesystem traversal
  • access to secrets
  • persistent memory of the whole repo

It needs narrow retrieval against indexed code.

That’s it.

Yes, there is a reasonable counterargument:

“If I use a dedicated number, allowlists, read-only mounts, secret stripping, no exec tools, no browser, and short retention, isn’t that safe enough?”

Honestly: much safer, yes.

But notice what happened.

As the design got safer, it started looking more and more like retrieval and isolation, not broad repo exposure.

That is the whole point.

Which architecture actually belongs in WhatsApp?

Here’s the practical comparison.

Approach What happens in practice
Broad repo exposure in chat agent Agent has wide filesystem or memory access to proprietary code. Fast answers, but a much larger leak blast radius and more dangerous prompt injection paths.
RAG over indexed code context Agent retrieves only relevant snippets per question. Lower exposure, easier auditing, and a much better fit for WhatsApp, Slack, Discord, and Telegram assistants.
Dedicated isolated channel + allowlists Separate WhatsApp identity with explicit sender and group approval. More operationally strict, but routing boundaries are cleaner and accidental exposure drops fast.

If I had to compress the entire argument into one sentence:

Consumer chat surfaces should get answers, not repo access.

That distinction sounds minor until the day it saves you.

Provider policies help, but they are not your main boundary

OpenAI says API data is not used for training by default, with abuse-monitoring retention limits unless you qualify for stricter options.

Anthropic says commercial and API usage is not used to train generative models unless customers opt in.

Those are useful controls.

They are not your primary containment boundary.

They do not stop:

  • an over-permissioned OpenClaw agent from pasting proprietary code into a group
  • your own logs from retaining too much context
  • indirect prompt injection from a poisoned README or commit message

Even if you go fully local with Qwen or Llama on your own hardware, the same rule still applies:

the biggest risk is often your own architecture being too generous.

What I would actually ship

If I were building a private-code assistant for WhatsApp today, this would be my baseline.

1. Isolate the channel

Use a dedicated WhatsApp number.

In OpenClaw:

  • dmPolicy: "allowlist"
  • groupPolicy: "allowlist"
  • approve only known senders and groups

2. Keep the repo behind retrieval

Index the codebase.

Do not preload giant repo summaries or memory blobs into every session.

A minimal retrieval flow might look like this:

async function answerCodeQuestion(question: string) {
  const snippets = await retrieveRelevantCode({
    query: question,
    topK: 5,
    repo: "internal-app"
  });

  return llm.responses.create({
    model: "openai/gpt-5.4",
    input: [
      {
        role: "system",
        content: "Answer using only the retrieved code snippets. If the answer is unclear, say so."
      },
      {
        role: "user",
        content: `Question: ${question}\n\nRetrieved snippets:\n${snippets.join("\n\n")}`
      }
    ]
  });
}
Enter fullscreen mode Exit fullscreen mode

3. Make tools painfully narrow

Use:

  • read-only retrieval
  • no shell
  • no browser
  • no process tools
  • no secrets

If users need edits, move that workflow somewhere else:

  • Claude Code
  • Cursor
  • reviewed PR workflow
  • internal IDE assistant

4. Keep retention short

Minimize:

  • logs
  • memory
  • stored transcripts
  • traces containing code context

The less context you retain, the less context can leak later.

5. Treat group chats as a separate risk class

If unauthorized people are in the group, the assistant should not be quoting proprietary code there.

Maybe:

  • high-level summaries are okay
  • full snippets require an approved private channel
  • sensitive answers should redirect out of the group

For example:

function formatGroupResponse(result: { summary: string; containsSensitiveCode: boolean }) {
  if (result.containsSensitiveCode) {
    return "I can summarize this here, but I should send code-level details only in an approved private chat.";
  }

  return result.summary;
}
Enter fullscreen mode Exit fullscreen mode

That is where a lot of product wishful thinking dies.

The dream is:

“Everyone gets helpful answers in the group.”

The security reality is:

“Not everyone in the group should see the same thing.”

Once you accept that, the architecture gets much clearer.

The cost side matters too

This is the part a lot of security discussions skip.

Safer agent design usually means:

  • more retrieval calls
  • more summarization steps
  • more retries
  • more orchestration
  • more small LLM requests instead of one giant context dump

That is exactly where per-token pricing gets annoying.

If you are running these workflows all day across OpenClaw, n8n, Make, Zapier, or custom agents, flat-rate inference is just a better operational model.

That is the appeal of Standard Compute:

  • flat monthly pricing
  • OpenAI-compatible API
  • works with existing SDKs and HTTP clients
  • useful for agent-heavy workloads where call volume gets weird fast
  • dynamic routing across models like GPT-5.4, Claude Opus 4.6, and Grok 4.20

If your architecture is retrieval-heavy on purpose, you should not be staring at a token meter every time you make it safer.

Final take

If the assistant is connected to private code and living inside WhatsApp, I would not optimize for “knows the whole repo.”

I would optimize for:

  • isolation
  • retrieval
  • auditability
  • narrow tools
  • short retention

The assistant should behave less like a coworker with full repo access and more like a tightly scoped librarian:

  • fetch the relevant page
  • answer the question
  • expose only what is needed
  • forget as much as possible

That is the first design I would trust.

And if you are going to run that design at scale, I would put the inference layer on flat monthly API pricing instead of per-token billing every single time.

Top comments (0)