Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Evolution Api Go - Evo Go
v1.0.1Complete WhatsApp automation via Evolution API Go v3 - instances, messages (text/media/polls/carousels), groups, contacts, chats, communities, newsletters, and real-time webhooks
⭐ 0· 944·0 current·0 all-time
by@impa365
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The SKILL.md describes a WhatsApp automation API and legitimately requires an API URL plus two different API keys (global/admin and instance token). However the registry metadata claims no required env vars or primary credential — this mismatch is unexpected. The declared capabilities (instance management, messaging, logs, history sync) are coherent with a WhatsApp API, but metadata omission is an integrity concern.
Instruction Scope
The instructions stick to the stated purpose (curl examples for creating instances, connecting, sending messages, media uploads, polls, etc.). However examples include powerful operations: creating instances with 'syncFullHistory', retrieving logs, and using a global admin key. These actions enable access to full chat history and logs and could transmit user messages to the EVOGO_API_URL endpoint. The SKILL.md also shows file-upload examples (/path/to/file.jpg) — the agent could be asked to send local files to the remote API if invoked that way.
Install Mechanism
This is an instruction-only skill with no install spec and no code files, so it does not write code to disk or pull external binaries. That lowers install-time risk.
Credentials
The README requires EVOGO_API_URL, EVOGO_GLOBAL_KEY, EVOGO_INSTANCE, and EVOGO_API_KEY — all sensitive. The registry metadata, however, lists none of these. Requesting both a global admin key and an instance token is reasonable for the documented admin vs messaging operations, but the omission from metadata and lack of a declared primary credential are disproportionate and reduce transparency. The examples encourage use of the global key for instance management and enabling 'syncFullHistory', which could expose broad data if the remote API is not trusted.
Persistence & Privilege
The skill does not request always: true, has no install scripts, and does not declare system-wide config paths. It does, however, rely on the agent having network access to the EVOGO_API_URL. Autonomous invocation is allowed (platform default) but not by itself a new risk here.
What to consider before installing
This skill appears to be a legitimate client for an Evolution WhatsApp API, but the registry metadata failing to list required sensitive environment variables is a red flag. Before installing: 1) Confirm the skill's source and get a homepage or repository — don't provide admin or instance tokens to unknown services. 2) Prefer running a self-hosted EVOGO_API_URL (localhost) rather than a third-party hosted URL if you must test. 3) Never give the EVOGO_GLOBAL_KEY unless you trust the operator — use instance-level EVOGO_API_KEY for messaging when possible. 4) Avoid enabling 'syncFullHistory' or broad log access unless you control the server, since those settings can cause full chat history to be transmitted. 5) Ask the publisher to update the registry metadata to declare required env vars and the primary credential; lack of declaration reduces transparency. If you need higher assurance, request the skill's source code or run your own instance of Evolution API Go and test there.Like a lobster shell, security has layers — review code before you run it.
latestvk97ahyh5hpscem4csb37rz7hc180xj78
License
MIT-0
Free to use, modify, and redistribute. No attribution required.