WhatsApp Outreach Platform — AI Leads, Bulk Messaging, Reviews & CRM Pipeline
SuspiciousAudited by ClawScan on May 10, 2026.
Overview
This is not malware, but it gives an AI-connected service broad WhatsApp access to read conversations, mine leads, and send bulk or recurring messages, so it needs careful review before use.
Install only if you intentionally want MoltFlow and your AI assistant to operate a linked WhatsApp account. Start with a read-only or narrowly scoped key, enable approval requirements, review every recipient list and scheduled automation, avoid lead mining or outreach without consent, and regularly audit/delete active webhooks, monitors, schedules, knowledge-base files, and style profiles.
Findings (6)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A mistaken prompt, bad recipient list, or insufficiently scoped API key could send unwanted WhatsApp messages at scale or affect the user's WhatsApp reputation/account.
The primary skill explicitly exposes high-volume messaging and campaign tools; the 'ban-safe delays' framing suggests bulk outreach risk that needs strong scoping and approval controls.
description: "Automate WhatsApp at scale — mine leads from groups with AI, broadcast to channel followers, bulk message with ban-safe delays, schedule campaigns, auto-reply..."
Use read-only/scoped keys where possible, require explicit confirmation with recipient counts and message previews before any send, enable approval mode, and only message opted-in recipients.
A single configuration error could repeatedly broadcast incorrect, private, or non-compliant content to thousands of people.
The documented workflows include large-audience recurring broadcasts, so one wrong schedule, message, or audience selection can propagate broadly.
"Post our weekly product update to all 5,000 WhatsApp Channel followers every Monday"
Require dry-runs, audience caps, approval checkpoints, scheduling review, opt-out handling, and easy pause/cancel controls for all bulk and recurring campaigns.
Private WhatsApp conversations may be analyzed and turned into reusable AI style/context data, increasing privacy and cross-context leakage risk.
The AI style feature can train a persistent profile from all conversations, which is broad sensitive-message processing and could reuse private context across future replies.
**Note:** Omit both `session_id` and `wa_chat_id` to build a general profile from all conversations.
Train only on explicitly selected chats, document retention/deletion behavior, require consent for sensitive conversations, and review/delete style profiles and knowledge sources regularly.
Automations may keep sending messages or responding to customers after setup, even when the user is not actively supervising.
The skill supports event-triggered outbound messaging that can persist and act after the original user request.
"Set up automatic order confirmation messages after every purchase" ... "Webhook listener for purchase events, triggers outbound message via API."
Create automations with clear names, owners, expiry dates, audit logs, and disable/pause instructions; periodically review active schedules, monitors, and webhooks.
A broad MoltFlow key could allow more than messaging, including account settings, billing actions, and creating or rotating other API keys.
Admin documentation includes privileged account, billing, tenant settings, and API-key operations; this is expected for an admin module but sensitive.
Manage API keys (create, rotate, revoke) ... Required API Key Scopes ... `billing` | `manage` ... `account` | `manage`
Do not use an owner/admin all-scope key for routine outreach; create separate short-lived scoped keys for read-only, messaging, leads, and admin tasks.
If exposed too broadly, another configured agent or webhook could route messages through the wrong WhatsApp session or receive sensitive event data.
The A2A module permits agent-to-agent messaging and webhook management, including a generic endpoint; authentication and encryption are documented, but identity/routing boundaries matter.
| POST | `/a2a` | Generic (first active session) | ... `webhook_manager` | Manage webhooks via A2A |
Prefer fully scoped A2A endpoints, restrict A2A API keys, verify webhook destinations, enable content policy controls, and audit which agents are allowed to send or receive messages.