EngageLab WhatsApp Business
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill is a coherent EngageLab WhatsApp API helper, but its callback guidance recommends unauthenticated webhooks, which needs careful review.
Use this skill only if you intend the agent to send WhatsApp messages or manage WABA templates through EngageLab. Protect the DevKey/DevSecret, manually review message sends and template mutations, and do not deploy the callback webhook guidance as-is without additional source-validation controls.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If used as written, fake callback events could be posted to the user's endpoint and may trigger incorrect automations or spoofed customer replies/status changes.
This is the setup guidance for webhook callbacks carrying delivery status and user response events. Recommending no authentication or signature validation makes webhook origin and integrity unclear.
Your endpoint must: ... Accept `POST` requests ... Return HTTP 200 within 3 seconds ... Not require authentication (callback security mechanism is pending)
If enabling callbacks, add compensating controls such as a secret callback URL, IP allowlisting, reverse-proxy validation, strict schema checks, idempotency, and manual review before irreversible downstream actions.
Anyone with these credentials could potentially send messages or manage templates through the user's EngageLab account.
The skill needs EngageLab account credentials and sends them as HTTP Basic Authentication, which is expected for the provider but grants real account API authority.
The user must provide their `dev_key` (DevKey) and `dev_secret` (DevSecret). Encode them as `base64("dev_key:dev_secret")` and set the `Authorization` header.Use dedicated, least-privilege credentials where possible, avoid pasting secrets into shared logs or chats, and rotate the DevSecret if it is exposed.
A mistaken or overly broad request could send messages to customers or change/delete messaging templates in the user's business account.
The skill exposes actions that can contact external recipients and mutate business messaging templates. These actions are disclosed and purpose-aligned, but they are high-impact if invoked with the wrong recipients or template names.
Send Messages — Deliver template, text, image, video, audio, document, and sticker messages ... Template Management — Create, list, get, update, and delete WABA message templates
Confirm recipient lists, message content, template names, and delete/update operations before execution; test with small recipient sets first.