farid wa
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: faridwahysapp Version: 1.0.0 The skill provides a standard integration for the WhatsApp Business API via a third-party gateway (maton.ai). It includes documentation and Python/JavaScript code snippets for sending messages, managing media, and handling OAuth connections using the MATON_API_KEY environment variable. No evidence of malicious intent, data exfiltration, or harmful prompt injection was found in SKILL.md or the provided logic.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
You may be granting business-messaging access while the package publisher/source is unclear or inconsistent.
The registry identity is unknown/faridwahysapp, while bundled _meta.json says slug "whatsapp-business" version "1.0.3" and SKILL.md says author "maton". That provenance mismatch matters because the skill asks for a Maton API key and WhatsApp Business OAuth access.
Name: farid wa; Source: unknown; Slug: faridwahysapp; Version: 1.0.0
Verify the publisher and source before installing, especially if you will provide a MATON_API_KEY or connect a WhatsApp Business account.
A user or agent copying the example could attempt to use or expose a specific connection identifier instead of selecting the user's intended WhatsApp Business connection.
The Maton API key authorizes account actions, and the Maton-Connection header selects a managed OAuth connection. The executable example uses a concrete connection UUID instead of a placeholder.
req.add_header('Authorization', f'Bearer {os.environ["MATON_API_KEY"]}')
req.add_header('Maton-Connection', '21fd90f9-5935-43cd-b6c8-bde9d915ca80')Replace the UUID with a placeholder in the skill docs and require users to list/select their own connection before sending messages or managing account resources.
If used with valid credentials, the agent can send real customer messages and change WhatsApp Business resources.
These are high-impact external actions, but they are disclosed and aligned with the skill's stated WhatsApp Business integration purpose.
Access the WhatsApp Business API with managed OAuth authentication. Send messages, manage message templates, handle media, and interact with customers through WhatsApp.
Review recipients, message content, phone number IDs, and template/account changes before allowing the agent to make requests.
Customer communication data and business account actions may be processed by Maton and Facebook as part of normal operation.
The data flow through Maton and Facebook is disclosed and expected, but message contents, recipient phone numbers, and account actions will pass through that gateway/provider path.
The gateway proxies requests to `graph.facebook.com` and automatically injects your OAuth token.
Only send data permitted by your privacy/compliance rules and ensure you trust the Maton gateway for this integration.