WhatsApp Business
PassAudited by ClawScan on May 1, 2026.
Overview
This is a coherent WhatsApp Business API integration, but it uses delegated OAuth/API-key access to send and manage business communications, so users should approve actions carefully.
Install only if you trust Maton with delegated WhatsApp Business access. Keep MATON_API_KEY secure, confirm every write action before it runs, double-check recipients and connection IDs, and review any message-sending costs or organizational privacy requirements.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If used incorrectly, the agent could send the wrong customer message or alter business messaging resources.
The skill exposes write-capable WhatsApp Business API operations that can affect customer communications, but the authority is clearly related to the skill purpose and includes an explicit approval requirement.
Send messages, manage message templates, handle media, and interact with customers through WhatsApp. ... All write operations require explicit user approval.
Before any send, create, update, or delete action, verify the connection, phone number ID, recipient, message/template content, and expected business impact.
Anyone or any agent process with the API key could potentially make authorized WhatsApp Business API requests through the Maton connection.
The skill requires a Maton API key and uses managed OAuth to act on the connected WhatsApp Business account, which is expected but sensitive delegated authority.
Authorization: Bearer $MATON_API_KEY ... Maton proxies requests to `graph.facebook.com` and automatically injects your OAuth token.
Store MATON_API_KEY securely, use the least-privileged or dedicated connection available, rotate/revoke credentials when no longer needed, and avoid exposing the key in chat logs or shared files.
Customer phone numbers, message contents, and business account activity may pass through an external API gateway.
WhatsApp request data, including message bodies and recipient identifiers, is routed through Maton before reaching Meta's Graph API. This third-party data flow is disclosed and central to the skill.
Base URL ... `https://api.maton.ai/whatsapp-business/{native-api-path}` ... Maton proxies requests to `graph.facebook.com`Use the skill only if your organization permits Maton as an intermediary for WhatsApp Business data, and avoid sending unnecessary sensitive customer information.