Evolution Api Go - Evo Go
WarnAudited by ClawScan on May 10, 2026.
Overview
This instruction-only skill matches its WhatsApp automation purpose, but it includes broad admin/messaging powers and settings that can sync full chat history or keep a WhatsApp session active without clear privacy boundaries.
Review this skill before use if you plan to connect a real WhatsApp account. Only use an Evolution API server you control or trust, prefer scoped instance tokens over a global admin key, confirm all sends/deletes/reconnects manually, and avoid enabling full-history sync or automatic read receipts unless you understand where that data will go and how to remove it.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An agent using these instructions could send messages or perform instance-management actions that affect a real WhatsApp account.
The skill documents direct API operations that can delete an Evolution API instance, and other visible examples send WhatsApp messages. These are aligned with the automation purpose but are high-impact actions if used without user confirmation.
DELETE /instance/delete/{instance}\nHeader: apikey: $EVOGO_GLOBAL_KEYConfirm recipients, message contents, bulk operations, reconnects, and deletes before executing API calls.
Anyone or any agent with these keys may be able to manage instances or send WhatsApp messages through the configured account.
The skill requires credentials that grant admin and messaging authority over the Evolution API/WhatsApp integration. This is expected for the stated purpose, but the privileges are broad.
EVOGO_GLOBAL_KEY: "Global API key for admin operations (instance management)" ... EVOGO_API_KEY: "Instance-specific token for messaging operations"
Use the least-privileged token available, store keys securely, rotate them if exposed, and avoid sharing a global admin key unless instance management is truly needed.
Private WhatsApp conversations and read-status behavior could be exposed to or changed by the Evolution API integration more broadly than the user intended.
The documented instance settings can keep the WhatsApp session online, automatically mark messages/statuses as read, and sync full chat history. The artifact does not describe boundaries, retention, exclusions, or privacy safeguards for that synced history.
"advancedSettings": { ... "alwaysOnline": true, "readMessages": true, "readStatus": true, "syncFullHistory": true }Do not enable full-history sync, automatic read receipts, or always-online mode unless necessary; document where chat data is stored, who can access it, and how to disable or delete it.