Evolution Api v2
v2.3.0Complete WhatsApp automation via Evolution API v2.3 - instances, messages (text/media/polls/lists/buttons/status), groups, labels, chatbots (Typebot/OpenAI/Dify/Flowise/N8N/EvoAI), webhooks, proxy, S3 storage, and Chatwoot integration
⭐ 1· 935·0 current·0 all-time
by@impa365
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description align with the SKILL.md: it documents Evolution API v2.3 for WhatsApp automation (instances, messaging, groups, chatbots, webhooks, S3, Chatwoot). The declared runtime environment variables in SKILL.md (EVO_API_URL, EVO_GLOBAL_KEY, EVO_INSTANCE, EVO_API_KEY) are appropriate for that purpose. However the registry metadata reported earlier lists no required env vars — a discrepancy between published metadata and the skill's runtime instructions.
Instruction Scope
SKILL.md is instruction-only and stays within the API's domain: curl/HTTP calls to EVO_API_URL for instance management, messaging, etc. It does not instruct reading local files or unrelated system settings. It does, however, include examples to configure webhooks, RabbitMQ/SQS, Chatwoot and proxy credentials — all of which can forward incoming messages or events to arbitrary external endpoints, so misconfiguration or pointing those to untrusted URLs could leak message content.
Install Mechanism
No install spec and no code files — lowest-risk distribution model. Nothing is downloaded or written to disk by the skill itself.
Credentials
The SKILL.md requires multiple secrets (global admin key and per-instance API key) which are appropriate for managing and sending WhatsApp messages. But the published registry metadata listed no required environment variables or primary credential — this mismatch is concerning because the runtime instructions clearly require sensitive credentials. Also the skill guides inclusion of webhook headers or external service tokens (Chatwoot, RabbitMQ/SQS, proxy creds, S3) in instance creation payloads; those are expected for integrations but increase the attack surface if provided to an untrusted API host.
Persistence & Privilege
always:false and user-invocable:true (defaults) — the skill does not request forced persistent inclusion or other elevated platform privileges. It does not modify other skills or system-wide agent settings in the instructions.
What to consider before installing
This skill appears to be a documentation-only helper for an Evolution WhatsApp API and is coherent with that purpose, but review these points before installing: 1) The SKILL.md expects EVO_API_URL, EVO_GLOBAL_KEY (admin), EVO_INSTANCE and EVO_API_KEY (instance) — the registry metadata omitted these; treat that as a red flag and confirm required envs with the publisher. 2) Only give the GLOBAL_KEY to a trusted server; prefer using instance-level keys (EVO_API_KEY) for messaging. 3) Be careful when configuring webhooks, SQS/RabbitMQ, Chatwoot or S3 — those can forward message content to external services. Do not point webhooks to unknown third-party URLs or paste production credentials there. 4) Because this is instruction-only and has no code to inspect, verify the actual Evolution API server you will talk to (EVO_API_URL) is under your control or from a trusted provider before providing keys. 5) If you need higher assurance, ask the publisher for the canonical homepage/source code or run the API on infrastructure you control; otherwise treat metadata omissions as a sign to proceed cautiously.Like a lobster shell, security has layers — review code before you run it.
latestvk97fngbfn2c37q0m9nnr9trvjs80xar8
License
MIT-0
Free to use, modify, and redistribute. No attribution required.