EngageLab WhatsApp Business

This skill looks like a legitimate API client for EngageLab's WhatsApp service, but there are important inconsistencies you should consider before installing or supplying secrets: - The package does not declare any required environment variables or a primary credential, yet the client and documentation require dev_key/dev_secret (HTTP Basic). Expect the skill to prompt you for these credentials at runtime. Only provide them if you trust the publisher and the service. - The distributed bundle includes a Python client that imports the 'requests' library but the skill gives no install instructions or dependency list. Running it will likely require manually installing Python and requests; consider running in an isolated environment (container) and review the code first. - The callback documentation recommends accepting unauthenticated POSTs and explicitly says 'callback security mechanism is pending'. Exposing an unauthenticated webhook can allow spoofed events. If you use callbacks, put them behind your own verification (IP allowlist, HMAC auth, or a proxy that verifies payloads). - There is no homepage or known publisher listed. If you plan to use this in production, verify EngageLab's legitimacy and the publisher's identity (source repository, company site), and prefer using scoped API keys and least-privilege credentials. Actions you can take: review the included whatsapp_client.py file yourself (it appears readable and not obfuscated), run it in an isolated environment, confirm required dependencies, and avoid pasting real production credentials until you trust the source. If you need help assessing the code further, provide the full file and I can point out any problematic lines.