← Back to Skills Marketplace
kareemadelawwad

Evolution WhatsApp

by Kareem Adel · GitHub ↗ · v1.0.0
cross-platform ⚠ suspicious
467
Downloads
0
Stars
2
Active Installs
1
Versions
Install in OpenClaw
/install evolution-whatsapp
Description
Manage WhatsApp via Evolution API: send messages, media, contacts, polls, manage groups, fetch chats, and summarize conversations.
README (SKILL.md)

Evolution WhatsApp Skill

Control WhatsApp via Evolution API v2.

Configuration

Before using, configure your credentials:

export EVO_BASE_URL="https://your-evo-instance.com"
export EVO_INSTANCE_TOKEN="your-instance-token"
export EVO_INSTANCE_NAME="YourInstanceName"

Getting Credentials

  1. Deploy Evolution API — Use Evolution API or their hosted service
  2. Create an instance — Get your instance name and token
  3. Set environment variables — Add to your shell or OpenClaw config

Capabilities

  • Send text messages
  • Send media (images, videos, documents)
  • Send audio / voice notes
  • Send stickers
  • Send location
  • Send contacts
  • Send buttons / interactive messages
  • Send lists
  • Send polls
  • Create / manage groups
  • Fetch chats, messages, contacts
  • Summarize group conversations

Usage Examples

Send a message to +201234567890: Hello!
Send an image to [number]: https://example.com/image.jpg with caption "Check this out"
Get my recent chats
List my groups
Summarize group [group name]

Environment Variables

Variable Description
EVO_BASE_URL Your Evolution API base URL
EVO_INSTANCE_TOKEN Your instance API token
EVO_INSTANCE_NAME Your instance name (URL encoded if needed)

Notes

  • Ensure your Evolution API instance is running and accessible
  • The instance must be connected to WhatsApp
  • Check API documentation for rate limits and restrictions
Usage Guidance
This skill's behavior otherwise matches its description, but pay attention to these issues before installing: - Confirm the three environment variables (EVO_BASE_URL, EVO_INSTANCE_TOKEN, EVO_INSTANCE_NAME) will be provided by you; the skill will exit otherwise. The registry metadata omitted these — treat that as an authoring error and verify values before use. - Ensure EVO_BASE_URL points to a trusted Evolution API instance you control or trust. The script sends your EVO_INSTANCE_TOKEN in an HTTP header to that base URL — if the endpoint is malicious or public, the token could be misused. - Remove or sanitize any .env file in the skill directory (or modify the script) if you keep other secrets there; the script auto-sources .env which may load unrelated sensitive values. - Prefer using a token with minimal scope and rotate it if you test on shared infrastructure. If you need stronger assurance, review the Evolution API server code and host it yourself rather than using an unfamiliar hosted instance. If you want help: I can (a) produce a safer variant of evo.sh that refuses to source .env, (b) draft updated SKILL.md metadata to include the required env vars, or (c) checklist how to self-host and harden the Evolution API instance.
Capability Analysis
Type: OpenClaw Skill Name: evolution-whatsapp Version: 1.0.0 The skill is classified as suspicious due to critical shell injection vulnerabilities found in `evo.sh`. Multiple functions, such as `send_text`, `send_media`, and others, construct JSON payloads by directly embedding unsanitized user-supplied arguments into a string passed to `curl -d`. This allows for arbitrary command execution (RCE) on the host system if user input contains shell metacharacters. Additionally, the script attempts to load environment variables from a local `.env` file, which could be exploited if an attacker can control the file. While these are severe vulnerabilities, there is no clear evidence of intentional malicious behavior like data exfiltration to an attacker-controlled server or persistence mechanisms, aligning it with a 'suspicious' classification rather than 'malicious'.
Capability Assessment
Purpose & Capability
The name, description, SKILL.md, and evo.sh are coherent: the script implements sending messages/media, fetching chats/groups, and other WhatsApp operations via the Evolution API. The environment variables and endpoints used are appropriate for that purpose. However, the registry metadata declares no required environment variables even though both SKILL.md and evo.sh require EVO_BASE_URL, EVO_INSTANCE_TOKEN, and EVO_INSTANCE_NAME — a notable inconsistency.
Instruction Scope
The instructions and the shell script stay within the stated scope (calling Evolution API endpoints via curl). One runtime behavior to note: evo.sh will source a local .env file from the script directory if present, which can load any local environment values (potentially unrelated secrets) without explicit mention in SKILL.md; otherwise the script only reads the three Evolution-related env vars.
Install Mechanism
There is no install spec or remote download; this is an instruction-only skill with an included bash script. No external packages or archives are fetched, and nothing is written to disk by an installer.
Credentials
The script legitimately needs EVO_BASE_URL, EVO_INSTANCE_TOKEN, and EVO_INSTANCE_NAME to operate. However, the registry metadata does not declare these required env vars (it lists none), which is a mismatch that could hide the need to provide credentials. Additionally, the script's automatic sourcing of a .env file may cause it to load other local variables unexpectedly — this expands its effective access to secrets beyond the three documented vars unless the user ensures .env contains only intended values.
Persistence & Privilege
The skill does not request always:true, does not modify other skills, and has no install-time persistence requirements. It runs as a normal, user-invocable/autonomously-invocable skill and does not claim elevated system privileges.
How to Use
  1. Make sure OpenClaw is installed (local or Docker)
  2. Run the install command in chat: /install evolution-whatsapp
  3. After installation, invoke the skill by name or use /evolution-whatsapp
  4. Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
Initial release of Evolution WhatsApp Skill: - Integrates WhatsApp control via Evolution API v2. - Supports sending messages, media, audio, stickers, location, contacts, buttons, lists, and polls. - Includes group management and conversation summarization. - Allows fetching of chats, messages, contacts, and groups. - Requires configuration of API credentials via environment variables.
Metadata
Slug evolution-whatsapp
Version 1.0.0
License
All-time Installs 2
Active Installs 2
Total Versions 1
Frequently Asked Questions

What is Evolution WhatsApp?

Manage WhatsApp via Evolution API: send messages, media, contacts, polls, manage groups, fetch chats, and summarize conversations. It is an AI Agent Skill for Claude Code / OpenClaw, with 467 downloads so far.

How do I install Evolution WhatsApp?

Run "/install evolution-whatsapp" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Evolution WhatsApp free?

Yes, Evolution WhatsApp is completely free (open-source). You can download, install and use it at no cost.

Which platforms does Evolution WhatsApp support?

Evolution WhatsApp is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created Evolution WhatsApp?

It is built and maintained by Kareem Adel (@kareemadelawwad); the current version is v1.0.0.

More Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191115 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 Comments