Toingg Ops Toolkit
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill is coherent for Toingg operations, but it can use a Toingg token to upload contacts, create campaigns, send WhatsApp messages, and optionally run a scheduled analytics job, so users should approve those actions carefully.
Install only if you intend to let Claw operate your Toingg account. Provide a scoped Toingg token if possible, verify every campaign/contact/template action before sending, avoid uploading unauthorized contacts, and enable the analytics cron only when you want a persistent daily job.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A mistaken payload, contact list, or template choice could create the wrong campaign or message the wrong recipients.
The skill intentionally exposes helpers that can mutate the Toingg account and send WhatsApp template messages. This is expected for the toolkit, but it is recipient-facing and should not be run without clear user approval.
`scripts/create_campaign.py` | POST `/api/v3/create_campaign` with arbitrary payloads ... `scripts/send_whatsapp_templates.py` | Trigger `/api/v3/send_whatsapp_templates`
Before running these scripts, confirm the campaign payload, contact list, template name, language, recipient count, and whether resend is intended.
Anyone or any scheduled job with this token can act on the connected Toingg account within the token's permissions.
The token is expected for Toingg API access, but it grants authority to create campaigns, upload contacts, fetch analytics, and send templates. Registry metadata does not declare a primary credential or required environment variable.
All HTTP calls reuse the `TOINGG_API_TOKEN` bearer token.
Use a least-privilege Toingg token if available, store it only in trusted environments, rotate it when needed, and ensure metadata or local documentation makes the credential requirement clear.
Contact names, phone numbers, and context notes may be sent to Toingg and stored in local JSON files or logs.
The workflow handles names, phone numbers, and context fields, then uploads them to the Toingg provider API. This is purpose-aligned, but it crosses a data boundary with contact PII.
Create a spreadsheet with **exactly these headers in the first row** ... `name` ... `phone` ... `context`
Only process contacts the user is authorized to upload, minimize sensitive context fields, and store generated JSON/logs according to the user's data-handling rules.
If enabled, analytics will continue being fetched and written daily until the cron job is removed.
The skill documents a persistent scheduled job that continues pulling analytics after setup. The documentation appropriately says to enable it only when requested and shows how to delete it.
openclaw cron create toingg-analytics-digest --schedule "0 19 * * *" --command "... ./scripts/get_campaign_analytics.py > ~/toingg-analytics/analytics-$(date +%Y%m%d).json"
Enable the cron only after explicit user confirmation, record the output directory, and remove it with `openclaw cron delete toingg-analytics-digest` when no longer needed.