WhatsApp Business API

Complete WhatsApp Business Cloud API for messages, templates, media, webhooks, flows, and business profiles.

This package appears to be a genuine WhatsApp Business Cloud API guide, but there are a few important mismatches to resolve before you install: - Confirm required credentials: The registry lists WHATSAPP_ACCESS_TOKEN and WHATSAPP_PHONE_NUMBER_ID, but the runtime docs also reference WHATSAPP_BUSINESS_ACCOUNT_ID and WHATSAPP_APP_SECRET (used for template operations and webhook signature verification). Ask the publisher or maintainer which env vars the platform will actually request and include those missing values in the declared requires.env if needed. - Protect secrets: Any access token or app secret you provide can be used to send messages or manage templates. Only provide the minimum-scoped token (system user or short-lived token as appropriate), rotate tokens regularly, and avoid pasting secrets into public chat/history. - Review local storage: The skill will create ~/whatsapp-business-api/memory.md and store context (phone numbers, webhook URLs, template references). Do not store secrets or tokens in that file. Review its contents periodically and restrict file permissions as needed. - Webhook handling: The skill correctly instructs verifying X-Hub-Signature-256 with the app secret; if you don’t supply WHATSAPP_APP_SECRET, webhook verification cannot be properly performed. Ensure your webhook verification is implemented server-side and that the secret is kept safe. - Autonomy considerations: The skill is invocable by the model (normal default). Because the skill can send API requests using your token, consider limiting autonomous invocation or approving actions interactively if you want tighter control over outgoing messages. - Source verification: The skill's homepage/source is listed as unknown; prefer skills from a known publisher or inspect any runtime hook if provided. Since this is instruction-only (no installer), risk is lower, but the mismatch in declared vs. used env vars is the main red flag. If you need to proceed: request the publisher update the registry metadata to list all env vars the skill will use (including WHATSAPP_APP_SECRET and WHATSAPP_BUSINESS_ACCOUNT_ID) and confirm exactly what the skill will store in ~/whatsapp-business-api/ before supplying credentials.

Type: OpenClaw Skill Name: whatsapp-business-api Version: 1.0.0 The OpenClaw AgentSkills bundle for WhatsApp Business API is benign. It provides comprehensive documentation and API examples for interacting with the official Meta Cloud API. All `curl` commands target the legitimate `graph.facebook.com` endpoint and use environment variables for authentication (`WHATSAPP_ACCESS_TOKEN`, `WHATSAPP_PHONE_NUMBER_ID`, etc.). The `SKILL.md` and `memory-template.md` files contain clear instructions for the AI agent, explicitly stating what data is sent to Meta and what stays local, and instructing the agent not to log sensitive tokens or skip webhook verification. There is no evidence of data exfiltration to unauthorized endpoints, malicious execution, persistence mechanisms, obfuscation, or prompt injection attempts designed to subvert the agent's intended behavior.