← 返回 Skills 市场
91
总下载
0
收藏
0
当前安装
2
版本数
在 OpenClaw 中安装
/install whatsapp-business-automation-by-whatsable
功能描述
Full three-phase agent skills suite for Notifyer by WhatsAble. Phase 1 (setup-notifyer): account signup, login, WhatsApp connection status, subscription plan...
安全使用建议
What to check before installing or running this skill:
- Confirm provenance: SKILL.md and clawhub.json reference a GitHub repo and api.insightssystem.com, but the registry metadata you were shown listed no homepage/source. Locate and inspect the upstream GitHub repository (https://github.com/Whatsable/whatsapp-business-agent-skills) and ensure it is the official source and has recent, sensible commits.
- Inspect code before execution: the package bundles many Node.js scripts. Open and review scripts/lib/notifyer-api.js and any code that calls loadConfig/requestJson to ensure they only read the documented env vars and do not read unrelated files (e.g., ~/.ssh, ~/.bash_history) or attempt to exfiltrate data to unexpected domains.
- Validate environment requirements: the SKILL.md requires NOTIFYER_API_BASE_URL (must be https://api.insightssystem.com per docs) and NOTIFYER_API_TOKEN (JWT). The registry metadata omitted these — do not trust the registry omission. Only provide the token if you trust the code and service. Prefer creating a scoped/test account/token when possible.
- Search SKILL.md for prompt-injection content: because a 'system-prompt-override' pattern was flagged, remove or ignore any instructions in SKILL.md that try to alter agent/system prompts or tell the agent to ignore earlier instructions.
- Least privilege & isolation: run scripts in an isolated environment (throwaway account, container, or VM) first. Do not export production-wide tokens into global shell startup files until you confirm behavior.
- Developer API key caution: get-api-key.js can retrieve a developer API key for integrations — treat that key like any secret. If a script outputs or persists that key, ensure it is stored securely and not uploaded to third-party services.
- If you need help: ask for a focused code review of specific files (e.g., notifyer-api.js, login.js, get-api-key.js) if you are not comfortable reading the code yourself.
Bottom line: the code appears functionally consistent with a Notifyer integration, but the metadata inconsistencies and the prompt-injection signal make this package suspicious until you verify the upstream repository and review the SKILL.md and the key library files.
功能分析
Type: OpenClaw Skill
Name: whatsapp-business-automation-by-whatsable
Version: 1.0.2
The skill bundle is a comprehensive and well-documented suite of Node.js scripts for managing the Notifyer WhatsApp Business platform. It follows security best practices by using only built-in modules (zero dependencies), enforcing HTTPS to prevent token leakage, and providing explicit warnings about CLI credential visibility and backend API limitations. The scripts include proactive mitigations for backend vulnerabilities, such as ownership checks in delete-webhook.js, and the instructions in SKILL.md are strictly aligned with the stated purpose of workspace automation and chat operations without any harmful prompt-injection patterns.
能力标签
能力评估
Purpose & Capability
The name/description and the included Node.js scripts align: the files implement account setup, templates, bots, broadcasts, webhooks and chat operations against a Notifyer API. However the registry metadata (as presented at the top) claims no required environment variables or primary credential, whereas the SKILL.md and included clawhub.json repeatedly require NOTIFYER_API_BASE_URL and NOTIFYER_API_TOKEN. That mismatch between advertised registry requirements and the actual instructions/files is unexpected and should be clarified.
Instruction Scope
The SKILL.md instructs agents and users to set NOTIFYER_API_BASE_URL and NOTIFYER_API_TOKEN and to run many node scripts (login.js, doctor.js, create-broadcast.js, etc.). Those instructions are functionally within scope for a Notifyer integration. However a pre-scan flag indicates a 'system-prompt-override' prompt-injection pattern was detected in SKILL.md content — this suggests parts of the skill documentation may attempt to instruct an agent to change its behavior or system prompt, which is out-of-scope and dangerous. Also the published registry fields omit the env vars required by the runtime instructions; that inconsistency widens the scope-concern.
Install Mechanism
There is no install spec (no network downloads, no brew/npm installs), and the repo bundles many self-contained Node.js scripts that use only built-in APIs. This is lower install risk than fetching remote archives, but the package includes 100+ script files that would be written to disk when the skill is added — review them before executing. The mismatch between 'instruction-only' and the actual included code files is also noteworthy but not inherently malicious.
Credentials
The required environment access asserted by the SKILL.md — NOTIFYER_API_BASE_URL and NOTIFYER_API_TOKEN (JWT) and an optional NOTIFYER_CHAT_ORIGIN — is proportional to the described API integration. That said, the registry metadata claims no required envs/primary credential; this contradiction is suspicious and could lead to unexpected token usage. The scripts include a get-api-key.js to fetch a developer API key (used for Make/Zapier/n8n), which is expected for this product, but you should treat any retrieval or storage of developer API keys carefully. No unrelated credentials were requested in the scripts themselves.
Persistence & Privilege
The skill is not marked always:true and does not request elevated or persistent platform privileges. Autonomous invocation (disable-model-invocation=false) is the platform default and not a unique risk here. There is no evidence the skill modifies other skills' configs or requests system-wide settings.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install whatsapp-business-automation-by-whatsable - 安装完成后,直接呼叫该 Skill 的名称或使用
/whatsapp-business-automation-by-whatsable触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.2
- Skill name and repository updated for improved clarity and product alignment.
- `metadata.homepage` and source links now point to the new `whatsapp-business-agent-skills` repository.
- Environment variable metadata revised for accuracy and formatting.
- No code or functional changes; documentation and metadata updates only.
v1.0.1
- Unified all three Notifyer skill phases (setup-notifyer, automate-notifyer, chat-notifyer) into a single agent skills suite.
- Added automate-notifyer scripts for managing message templates, AI bots, broadcast campaigns, analytics, and webhooks.
- Expanded documentation: now includes phase overview, setup instructions, and usage for templates, broadcasts, bots, and chat operations.
- Phase 3 scripts now cover recipient conversations, messaging (text, template, attachments), labels, handoff, scheduling, and notes.
- Standardized environment variable usage and authentication modes across all phases.
- No external npm dependencies required; scripts are self-contained for Node.js 18+.
元数据
常见问题
WhatsApp Business Automation by WhatsAble 是什么?
Full three-phase agent skills suite for Notifyer by WhatsAble. Phase 1 (setup-notifyer): account signup, login, WhatsApp connection status, subscription plan... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 91 次。
如何安装 WhatsApp Business Automation by WhatsAble?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install whatsapp-business-automation-by-whatsable」即可一键安装,无需额外配置。
WhatsApp Business Automation by WhatsAble 是免费的吗?
是的,WhatsApp Business Automation by WhatsAble 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
WhatsApp Business Automation by WhatsAble 支持哪些平台?
WhatsApp Business Automation by WhatsAble 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 WhatsApp Business Automation by WhatsAble?
由 Whatsable(@whatsable)开发并维护,当前版本 v1.0.2。
推荐 Skills