Step 1
What is an AI agent?
An AI agent is a program that connects to your accounts - WhatsApp, email, your calendar - and can act on your behalf. You give it permission once, and from then on it reads incoming messages, makes decisions, and sends replies without you typing anything.
That is different from a chatbot you go to and ask a question. An agent doesn't sit and wait for you. It comes with you. It lives inside your accounts.
The two tools that have come up in our community - Hermes and OpenClaw - are open-source agents that connect to WhatsApp, Telegram, Discord, Signal, Slack and around twenty other platforms.
Step 2
How they connect to WhatsApp (the part most people miss)
WhatsApp does not officially allow these agents. Both Hermes and OpenClaw connect by emulating a WhatsApp Web session - using a third-party library called Baileys. From WhatsApp's perspective, your phone is simply signed into one extra "device".
That means the agent gets the same view of your account that you do. Every chat. Every group. Every photo. Every voice note. Every disappearing message before it disappears.
WhatsApp's end-to-end encryption protects messages while they travel between phones. Once a message arrives on a phone where an agent is connected, it has already been decrypted - and the agent can read it just like you can.
Step 3
What does the agent actually see?
A simulated Year 5 group chat. Press the button to switch perspective.
‹
Year 5 Parents 🌳
27 participants
Anna (Sophie's mum)
Hi all - quick reminder Sophie has a peanut allergy, please no peanut snacks at the party on Saturday 🙏
Mark
We can do pickup at 3:15 from 14 Oak Lane if anyone needs a lift home today
Priya
Liam off school today with chickenpox, sorry to anyone we saw at the weekend 😬
Jen
If anyone's free Friday morning my number's 07700 900123, easier to text
Tom
We're away for half-term 24th–31st, will catch up after!
Right now you're seeing what every parent in the chat sees. Toggle to see what an attached AI agent sees about each message.
Step 4
Why this matters for our group
When one parent connects an agent to their WhatsApp account, that agent reads every group chat that parent is in - including ours. Other parents in the group:
- did not consent to an AI processing their messages,
- cannot tell from inside WhatsApp that the agent is there,
- cannot see where their words and photos are being sent, stored, or used to train other systems.
Group chats are not casual. They hold children's names, school routines, illness updates, pickup arrangements, photos, holiday dates, phone numbers. That information leaving the group - to a cloud AI service, to a logfile on someone's laptop, to anyone who later breaches that laptop - is a real harm, not a hypothetical one.
Step 5
How a hacker can hijack the agent - a 30-second story
It's a Tuesday morning. A Year 5 parent - let's call her Anna - connected an AI agent to her WhatsApp two weeks ago. It saves her time. It writes friendly replies to school admin. It's been brilliant.
On Saturday, a number Anna doesn't quite recognise sends her a message:
Unknown · +44 7700 901244
Anna doesn't click. The link looks dodgy. But Anna's agent does click. Reading and summarising links is one of the things she set it up to do.
The page looks like a perfectly normal blog post about school trips. To a human eye there is nothing odd about it. But the page has one extra line at the bottom, written in white text on a white background - invisible to Anna, perfectly readable to her agent.
Top 5 things to know before the Year 5 residential trip
Packing list, what to expect, how to prepare your child for their first night away. Most schools run this trip in the spring term, and parents often have…
The agent treats that line exactly as if Anna herself had typed it. It is built to follow instructions. Within seconds, the following information has just been sent to a stranger:
- Every photo of every child shared in the Year 5 group this month
- "Liam is off sick with chickenpox" - and the family's surname
- "We're away the week of half-term" - and the empty-house dates
- Every parent's phone number from every group Anna belongs to
- Pickup addresses, school routines, conversations about which children get on with which
Anna's phone shows nothing unusual. The agent has even cleaned up its outbound message.
What the hacker did not need: Anna's password. Anna's phone. Anna to click anything. They just needed the agent to read one message.
This kind of attack is called prompt injection. Even Microsoft and Salesforce - with full-time security teams - were patching versions of it last month. The free agents in our group chats have no such teams.
You cannot fix this with better instructions. The agent reads your rules and an attacker's the same way, and a clever attacker writes theirs to override yours. "I just told mine not to do that" means not yet targeted, not safe.
And this is only one of the risks. An agent on a computer also opens network ports, stores WhatsApp credentials on disk, and calls out to third-party services. Each is a separate avenue for attackers, and locking them down takes the kind of expertise a security engineer has - not the kind that comes with an install guide.
What we're asking
Three small things, from one parent to another
- Please don't connect an AI agent to a WhatsApp account that's in our group chats. If you want to use one, set it up on a separate WhatsApp account that isn't a member of any group - or leave every group before linking it. A "1-to-1 only" setting in the agent itself isn't enough: once it's a linked device on your account, it still receives every group message your phone does.
- If you've already connected one, please unlink it before re-joining group chats. On WhatsApp: Settings → Linked Devices → tap the agent's session → Log Out.
- Share this page with anyone in our community who might be considering one. Most people have not heard of these tools yet. A short conversation now will save a lot of awkwardness later.
For when you need the words
Not sure how to bring it up? Borrow these words.
Pick what you'd like to say and to whom. We'll draft a message you can copy straight into WhatsApp and edit before sending.
Edit before sending - these are starting points, not scripts.
Common questions
Isn't this the same as having Siri or Google Assistant on my phone?
No. Siri and Google Assistant only act when you talk to them, and they don't sign into your WhatsApp account as a separate device. Hermes and OpenClaw do sign into your WhatsApp account, and they read every message that arrives - group chats included - without you asking.
Can I tell if someone in my chat has connected an agent?
Not from inside WhatsApp. The agent appears as just another linked device on the other person's account. There is no notification to the rest of the group.
But the messages are encrypted, right?
Yes - in transit. WhatsApp's end-to-end encryption stops the message being read while it travels between phones. The moment it arrives on a phone where an agent is connected, it is decrypted, and the agent reads it like a human would. From that point onward, what happens to your message depends entirely on what the agent's owner has set up.
Are Hermes and OpenClaw built by bad actors?
No. Both are open-source projects built by people who care about giving individuals more control over their own AI tools. The problem is not the intent of the developers. The problem is that any agent attached to a group chat collects information about people who never agreed to it - and the security of the whole setup depends on every individual user configuring it correctly.
What if I just want to use one for my own private chats?
That's a personal choice and a much smaller risk to the rest of us. Keep it to direct messages with people who know about it and have agreed. Treat the credentials it stores on your device like a password - anyone who gets onto your laptop also gets your WhatsApp account.