Mycobot
PendingStatic analysis audit pending.
Overview
No static analysis result has been recorded yet. Pattern checks will appear here once the artifact has been analyzed.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A mistaken or over-broad agent action could send messages to real customers or modify WhatsApp Business account resources.
This exposes broad WhatsApp Business Graph API access through a raw gateway path, including high-impact actions such as sending messages or changing account resources, without documented guardrails for confirmation, endpoint limits, or connection selection.
Replace `{native-api-path}` with the actual WhatsApp Business API endpoint path. The gateway proxies requests to `graph.facebook.com` and automatically injects your OAuth token.Require explicit user confirmation for each mutating action, including the exact connection, phone number ID, recipient, message content, and endpoint; prefer scoped helper workflows over arbitrary native API paths.
Users may have difficulty verifying who published the credentialed integration they are installing.
The in-package metadata conflicts with the supplied registry listing for this review, which identifies the skill as owner `kn767fbmqhv2pa5xm2fcfshnfs81kj3p`, slug `mycobot`, version `1.0.0`. That mismatch creates a provenance and identity ambiguity for a skill that asks for credentialed account access.
"ownerId": "kn75240wq8bnv2qm2xgry748jd80b9r0", "slug": "whatsapp-business", "version": "1.0.3"
Resolve the registry/package metadata mismatch before installation, and verify the publisher and intended slug/version with the provider.
Anyone with the key may be able to use the connected WhatsApp Business integration within the key's permissions.
The API key is expected for a managed OAuth integration, but it is a sensitive credential that enables WhatsApp Business actions through Maton.
All requests require the Maton API key in the Authorization header: `Authorization: Bearer $MATON_API_KEY`
Use a dedicated, least-privilege Maton API key where possible, store it securely, rotate it if exposed, and revoke unused OAuth connections.
Customer contact details and message content may be processed by both Maton and WhatsApp/Facebook.
Requests, including recipient phone numbers and message contents, are routed through Maton's gateway before reaching WhatsApp/Facebook. This is disclosed and purpose-aligned, but users should recognize the third-party data flow.
https://gateway.maton.ai/whatsapp-business/{native-api-path}Avoid sending unnecessary sensitive data, confirm Maton's data handling terms, and only use the skill for business data you are allowed to share with those providers.