Evolution Api v2
PassAudited by ClawScan on May 10, 2026.
Overview
This instruction-only skill is consistent with WhatsApp/Evolution API automation, but it gives access to powerful messaging, admin, webhook, and integration capabilities that users should control carefully.
Install only if you intend to let the agent help operate an Evolution API/WhatsApp account. Configure least-privilege keys, confirm recipients and destructive actions before use, and only send webhooks or Chatwoot/SQS/RabbitMQ data to services you trust.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An agent with the configured keys could send messages or perform administrative instance actions on the connected WhatsApp/Evolution API account.
The skill documents raw API operations that can send WhatsApp messages and delete Evolution API instances. These actions are central to the stated automation purpose, but they are high-impact if used without explicit user intent.
curl -X POST "$EVO_API_URL/message/sendText/$EVO_INSTANCE" ... "number": "5511999999999", "text": "Hello from Evolution API v2! 🚀" ... "DELETE /instance/delete/{instance}"Use this skill only with explicit user approval for message-sending, group/admin, and delete/logout actions; prefer least-privilege instance keys over the global admin key when possible.
If these keys are exposed or used too broadly, someone could manage instances or send WhatsApp messages through the configured account.
The skill requires API credentials that can administer instances and send messages. This is expected for Evolution API automation, but these credentials are powerful.
EVO_GLOBAL_KEY: "Global API key for admin operations (instance management)" ... EVO_API_KEY: "Instance-specific API key for messaging operations"
Store keys securely, rotate them if exposed, and use separate lower-privilege keys for routine messaging where the Evolution API deployment supports it.
Private chats, message events, or media could be sent to external webhook or integration services if configured.
The skill documents forwarding WhatsApp events, and potentially base64 media payloads, to webhook endpoints. This is a normal integration feature but can transmit private message data outside WhatsApp/Evolution API.
"webhook": { "url": "https://webhook.site/your-id", "base64": true, ... "events": ["MESSAGES_UPSERT", "CONNECTION_UPDATE"] }Only configure trusted webhook destinations, avoid test endpoints for real data, and document what message events and media are being forwarded.
Once configured, the connected Evolution API instance may continue receiving, forwarding, or processing WhatsApp events without further interaction in the current agent session.
The skill documents integrations and settings that can keep message processing or presence behavior active after initial configuration. This is disclosed and purpose-aligned automation, not hidden persistence.
"rabbitmq": { "enabled": true, "events": ["MESSAGES_UPSERT"] }, "sqs": { "enabled": true, "events": ["MESSAGES_UPSERT"] } ... "alwaysOnline": trueTrack enabled webhooks, queues, bots, and always-online settings, and disable or delete them when automation is no longer required.