GOWA - WhatsApp Automation
v1.4.0Interact with WhatsApp via GOWA (Go WhatsApp Web Multi-Device) REST API for personal automation. Supports sending messages with ghost mentions (@everyone), images, documents, group management, and more. Always use REST mode (http://localhost:3000) for production.
⭐ 2· 1.3k·1 current·1 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name and description (GOWA WhatsApp automation) match the SKILL.md and references: the instructions target a local GOWA REST server (http://localhost:3000) and expose endpoints for messaging, media, groups, and device management. Nothing requested (no env vars, no external credentials) is unrelated to WhatsApp automation.
Instruction Scope
Runtime instructions confine actions to calling a local REST server and uploading local media files when needed. The SKILL.md does not instruct reading unrelated system files, exfiltrating data, or contacting external endpoints beyond the documented API. Note: sending media requires access to local file paths and operations that control your WhatsApp account (sending messages, exporting participants) — these are consistent with the stated purpose but are powerful actions on your account.
Install Mechanism
This is an instruction-only skill with no automated install script. Installation guidance points to GitHub releases (official project repo). No downloads or extract operations are performed by the skill itself, which reduces installation risk; the user is expected to download/run the server manually.
Credentials
The skill declares no required environment variables or credentials. The reference notes optional Basic Auth for the GOWA server (user-configured) but the skill does not demand secrets. The lack of unrelated credential requests is proportionate to the stated functionality.
Persistence & Privilege
always:false and no special privileges requested. The skill does not request persistent platform-wide presence or modify other skills. Note: autonomous model invocation is allowed by default on the platform — this would let the agent call the local REST endpoints without additional user prompts if the agent chooses to do so; that is a platform behavior, not specific to this skill.
Assessment
This skill is coherent: it expects you to run a local GOWA REST server and then uses localhost:3000 endpoints to control your WhatsApp account. Before installing or using it, consider: 1) Running the GOWA server locally and binding it to localhost only; enable Basic Auth if you plan to expose the server beyond your machine. 2) Scanning the GOWA GitHub releases yourself (verify checksums/signatures where available) rather than downloading from untrusted mirrors. 3) Remember that linking the server requires scanning a WhatsApp QR code — that effectively gives the server (and any automated agent calling it) full control of the linked WhatsApp account, including sending messages, exporting participants, and changing group settings. 4) If you allow the agent to invoke the skill autonomously, it could send messages without separate consent — restrict invocation or require confirmation if that matters. If you want extra assurance, review the GOWA source code or run it in an isolated environment before granting it access to your primary account.Like a lobster shell, security has layers — review code before you run it.
latestvk977ptgxtqh0s7tzjcbmttyjgd80xg4n
License
MIT-0
Free to use, modify, and redistribute. No attribution required.