← Back to Skills Marketplace
358
Downloads
0
Stars
0
Active Installs
3
Versions
Install in OpenClaw
/install whatsapp-otp
Description
Send WhatsApp OTP (one-time password) messages via CMI OmniChannel RCS API. Use when user asks to send verification code, OTP, or authentication code via Wha...
Usage Guidance
This skill appears to do exactly what it claims, but it contains an explicit workaround that weakens network security: the Python script disables SSL certificate verification and the scripts avoid proxies to reach a server with a broken TLS configuration. Before installing or providing credentials: 1) Verify you trust the API provider (cpaas-rcs.cmidict.com) and the tenant you will use. 2) Prefer not to reuse long‑lived credentials; use short‑lived or scoped keys if possible and rotate them after testing. 3) Run the scripts in a controlled/sandboxed environment first to confirm behavior. 4) Ask the provider to fix their certificate configuration so you can re-enable standard verification and proxy traversal. 5) Ensure the agent or environment won't log or leak the AccessKeySecret or ApplicationSecret (avoid pasting secrets into public chat). If you cannot accept disabling TLS verification or bypassing your corporate proxy, do not use this skill until the API endpoint is corrected or the scripts are adapted to your environment.
Capability Analysis
Type: OpenClaw Skill
Name: whatsapp-otp
Version: 1.0.2
The skill bundle contains scripts (send_whatsapp_otp.py and send_whatsapp_otp.sh) that intentionally disable critical security controls to interact with the CMI OmniChannel RCS API (cpaas-rcs.cmidict.com:7081). Specifically, the Python script disables SSL certificate verification (CERT_NONE) and clears all system proxy environment variables. While these actions are documented in SKILL.md as workarounds for non-standard API configurations, they introduce significant vulnerabilities, such as susceptibility to Man-in-the-Middle (MitM) attacks, which could lead to the exposure of the sensitive API credentials requested from the user.
Capability Assessment
Purpose & Capability
Name/description match the included Python and shell scripts and the runtime instructions. The requested inputs (AccessKeyId, AccessKeySecret, ApplicationName, ApplicationSecret, recipient, OTP) are appropriate and required for the API calls the skill performs.
Instruction Scope
SKILL.md and the scripts instruct the agent to clear proxy environment variables and to disable certificate verification / use a permissive SSL context to contact https://cpaas-rcs.cmidict.com:7081. These actions are outside normal best practices and reduce transport security (MITM risk), though they are documented and appear intended to work around a server with a bad TLS configuration.
Install Mechanism
No install spec or external downloads; the skill is instruction+bundled local scripts only. No third‑party packages are fetched at install time (the Python script requires 'requests' but only checks for it at runtime).
Credentials
The skill requires tenant credentials (AccessKeyId/AccessKeySecret and app secret) which are proportionate to sending OTPs. It does modify proxy environment variables within the process and the shell version uses curl --noproxy '*'; this affects only the process but may bypass corporate proxies and access controls — a security tradeoff explained in the SKILL.md.
Persistence & Privilege
The skill is not always-enabled, does not request platform-level persistence, and does not modify other skills or system-wide agent settings.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install whatsapp-otp - After installation, invoke the skill by name or use
/whatsapp-otp - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.2
Display name changed.
v1.0.1
- Added a new Security Considerations section describing SSL/TLS certificate handling and proxy environment clearing.
- Explained that the script uses a permissive SSL adapter to handle non-standard endpoint SSL settings.
- Documented that proxy variables are cleared to ensure direct connectivity to the API endpoint.
- Included recommendations and risk assessment for these security workarounds.
v1.0.0
Initial release of WhatsApp OTP sender skill.
- Sends WhatsApp OTP (one-time password) messages through the CMI OmniChannel RCS API.
- Requires API authentication credentials and uses a pre-configured message template.
- Guides user to provide required parameters: recipient phone number (without +) and OTP code.
- Phone number format, API endpoint, authentication, and response handling are detailed in documentation.
- Script automates sending OTP, including timestamp generation and credential use.
Metadata
Frequently Asked Questions
What is CMI CPaaS - WhatsApp OTP Sender?
Send WhatsApp OTP (one-time password) messages via CMI OmniChannel RCS API. Use when user asks to send verification code, OTP, or authentication code via Wha... It is an AI Agent Skill for Claude Code / OpenClaw, with 358 downloads so far.
How do I install CMI CPaaS - WhatsApp OTP Sender?
Run "/install whatsapp-otp" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is CMI CPaaS - WhatsApp OTP Sender free?
Yes, CMI CPaaS - WhatsApp OTP Sender is completely free (open-source). You can download, install and use it at no cost.
Which platforms does CMI CPaaS - WhatsApp OTP Sender support?
CMI CPaaS - WhatsApp OTP Sender is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created CMI CPaaS - WhatsApp OTP Sender?
It is built and maintained by CMI CPaaS (@picccabo-art); the current version is v1.0.2.
More Skills