← Back to Skills Marketplace
217
Downloads
0
Stars
1
Active Installs
1
Versions
Install in OpenClaw
/install whatsapp-openapi-skill
Description
Operate WhatsApp Business Platform Cloud API through UXC with a curated OpenAPI schema, bearer-token auth, and message/profile guardrails.
Usage Guidance
This skill appears to do what it says (wrap the WhatsApp Cloud API via uxc), but there are a few things to check before installing: 1) The SKILL.md expects you to configure a bearer token in WHATSAPP_CLOUD_ACCESS_TOKEN, but the registry metadata does not declare any required environment variables — confirm you will provide only a least-privilege token and that the omission was accidental. 2) The skill fetches a curated OpenAPI schema from raw.githubusercontent.com and makes requests to graph.facebook.com — if you need to audit network interactions or pin the schema, download and review the JSON locally before use. 3) Ensure the token you provide has limited scope and rotation policies (avoid using long-lived/full-admin tokens). 4) The skill instructs explicit confirmation before sends — verify your agent or human workflow enforces that to avoid accidental outbound messages. If the owner or source is unknown, prefer to review the schema and the validate.sh locally and to test with a non-production token/account first.
Capability Analysis
Type: OpenClaw Skill
Name: whatsapp-openapi-skill
Version: 1.0.0
The WhatsApp Cloud API skill bundle is well-structured and aligns with its stated purpose of managing WhatsApp Business Platform operations via the uxc tool. It includes a curated OpenAPI schema (whatsapp-cloud.openapi.json), clear authentication procedures using environment variables, and explicit safety guardrails in SKILL.md that require user confirmation for high-risk write operations. No evidence of malicious intent, data exfiltration, or unauthorized command execution was found.
Capability Assessment
Purpose & Capability
The name, description, OpenAPI schema, and runtime instructions all align with operating the WhatsApp Business Platform Cloud API via the 'uxc' wrapper. However, the registry metadata claims no required environment variables or primary credential while the SKILL.md explicitly instructs binding a bearer token via WHATSAPP_CLOUD_ACCESS_TOKEN — a direct mismatch between declared requirements and actual instructions.
Instruction Scope
The SKILL.md stays on-purpose: it instructs linking a schema-backed CLI, how to set bearer auth, and which Graph API endpoints to call. It explicitly warns to require user confirmation for message sends and avoids hosting webhooks or managing media uploads. It does require network access to graph.facebook.com and to fetch a curated schema from raw.githubusercontent.com, which is expected for this wrapper but worth noting.
Install Mechanism
This is an instruction-only skill with no install spec, so it does not write arbitrary code to disk or download executables at install time. The included validate.sh is a local check script that requires common tools (rg, jq) but is only for validation.
Credentials
The runtime docs require a bearer access token (WHATSAPP_CLOUD_ACCESS_TOKEN) and phone/waba identifiers, but the skill metadata lists no required env vars or primary credential. Requesting a single WhatsApp bearer token for this functionality is proportionate — the problem is the metadata omission that could hide necessary secret access from reviewers. Also the SKILL.md suggests binding a token with uxc which will grant the skill bearer-token access to graph.facebook.com paths.
Persistence & Privilege
The skill is not marked 'always' and does not request persistent elevated privileges. It does not modify other skills or system-wide settings beyond recommending a uxc auth binding (which is scoped to the Graph API host/path). Autonomous invocation is allowed by default but not excessive here.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install whatsapp-openapi-skill - After installation, invoke the skill by name or use
/whatsapp-openapi-skill - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
Initial release of the WhatsApp Business Platform Cloud API skill.
- Enables WhatsApp API operations (phone number info, business profile, messaging) via UXC and curated OpenAPI schema.
- Supports bearer-token authentication and version-pinned API paths (Graph API v25.0).
- Documents required setup, core usage workflow, and best-practice guardrails.
- Focuses on outbound requests: does not cover inbound webhooks, template management, media lifecycle, or full platform surface.
- Includes references and strict guidance on safe message sending and business profile changes.
Metadata
Frequently Asked Questions
What is WhatsApp OpenAPI Skill?
Operate WhatsApp Business Platform Cloud API through UXC with a curated OpenAPI schema, bearer-token auth, and message/profile guardrails. It is an AI Agent Skill for Claude Code / OpenClaw, with 217 downloads so far.
How do I install WhatsApp OpenAPI Skill?
Run "/install whatsapp-openapi-skill" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is WhatsApp OpenAPI Skill free?
Yes, WhatsApp OpenAPI Skill is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does WhatsApp OpenAPI Skill support?
WhatsApp OpenAPI Skill is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created WhatsApp OpenAPI Skill?
It is built and maintained by jolestar (@jolestar); the current version is v1.0.0.
More Skills