ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Evolution WhatsApp

v1.0.0

Manage WhatsApp via Evolution API: send messages, media, contacts, polls, manage groups, fetch chats, and summarize conversations.

0· 331·2 current·2 all-time
byKareem Adel@kareemadelawwad
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name, description, SKILL.md, and evo.sh are coherent: the script implements sending messages/media, fetching chats/groups, and other WhatsApp operations via the Evolution API. The environment variables and endpoints used are appropriate for that purpose. However, the registry metadata declares no required environment variables even though both SKILL.md and evo.sh require EVO_BASE_URL, EVO_INSTANCE_TOKEN, and EVO_INSTANCE_NAME — a notable inconsistency.
Instruction Scope
The instructions and the shell script stay within the stated scope (calling Evolution API endpoints via curl). One runtime behavior to note: evo.sh will source a local .env file from the script directory if present, which can load any local environment values (potentially unrelated secrets) without explicit mention in SKILL.md; otherwise the script only reads the three Evolution-related env vars.
Install Mechanism
There is no install spec or remote download; this is an instruction-only skill with an included bash script. No external packages or archives are fetched, and nothing is written to disk by an installer.
!
Credentials
The script legitimately needs EVO_BASE_URL, EVO_INSTANCE_TOKEN, and EVO_INSTANCE_NAME to operate. However, the registry metadata does not declare these required env vars (it lists none), which is a mismatch that could hide the need to provide credentials. Additionally, the script's automatic sourcing of a .env file may cause it to load other local variables unexpectedly — this expands its effective access to secrets beyond the three documented vars unless the user ensures .env contains only intended values.
Persistence & Privilege
The skill does not request always:true, does not modify other skills, and has no install-time persistence requirements. It runs as a normal, user-invocable/autonomously-invocable skill and does not claim elevated system privileges.
What to consider before installing
This skill's behavior otherwise matches its description, but pay attention to these issues before installing: - Confirm the three environment variables (EVO_BASE_URL, EVO_INSTANCE_TOKEN, EVO_INSTANCE_NAME) will be provided by you; the skill will exit otherwise. The registry metadata omitted these — treat that as an authoring error and verify values before use. - Ensure EVO_BASE_URL points to a trusted Evolution API instance you control or trust. The script sends your EVO_INSTANCE_TOKEN in an HTTP header to that base URL — if the endpoint is malicious or public, the token could be misused. - Remove or sanitize any .env file in the skill directory (or modify the script) if you keep other secrets there; the script auto-sources .env which may load unrelated sensitive values. - Prefer using a token with minimal scope and rotate it if you test on shared infrastructure. If you need stronger assurance, review the Evolution API server code and host it yourself rather than using an unfamiliar hosted instance. If you want help: I can (a) produce a safer variant of evo.sh that refuses to source .env, (b) draft updated SKILL.md metadata to include the required env vars, or (c) checklist how to self-host and harden the Evolution API instance.

Like a lobster shell, security has layers — review code before you run it.

latestvk97a81byqhq88m6syn3bf97z8x820chk

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

Evolution WhatsApp Skill

Control WhatsApp via Evolution API v2.

Configuration

Before using, configure your credentials:

export EVO_BASE_URL="https://your-evo-instance.com"
export EVO_INSTANCE_TOKEN="your-instance-token"
export EVO_INSTANCE_NAME="YourInstanceName"

Getting Credentials

  1. Deploy Evolution API — Use Evolution API or their hosted service
  2. Create an instance — Get your instance name and token
  3. Set environment variables — Add to your shell or OpenClaw config

Capabilities

  • Send text messages
  • Send media (images, videos, documents)
  • Send audio / voice notes
  • Send stickers
  • Send location
  • Send contacts
  • Send buttons / interactive messages
  • Send lists
  • Send polls
  • Create / manage groups
  • Fetch chats, messages, contacts
  • Summarize group conversations

Usage Examples

Send a message to +201234567890: Hello!
Send an image to [number]: https://example.com/image.jpg with caption "Check this out"
Get my recent chats
List my groups
Summarize group [group name]

Environment Variables

VariableDescription
EVO_BASE_URLYour Evolution API base URL
EVO_INSTANCE_TOKENYour instance API token
EVO_INSTANCE_NAMEYour instance name (URL encoded if needed)

Notes

  • Ensure your Evolution API instance is running and accessible
  • The instance must be connected to WhatsApp
  • Check API documentation for rate limits and restrictions

Files

2 total
Select a file
Select a file to preview.

Comments

Loading comments…