ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

OpenAi Berto

v1.0.0

WhatsApp Business API integration with managed OAuth. Send messages, manage templates, and handle conversations. Use this skill when users want to interact w...

0· 93·0 current·0 all-time
byBerto Rodríguez@notrellz·duplicate of @dabhadeamol6/mycobot
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
SKILL.md implements a WhatsApp Business gateway using maton.ai endpoints and requires MATON_API_KEY — this is coherent with the stated purpose. However, the registry name and provided top-level metadata ('OpenAi Berto', slug 'whatsaoo') do not match the SKILL.md (name 'whatsapp-business', author 'maton', slug in _meta.json 'whatsapp-business'). These naming/identity mismatches are unexpected.
Instruction Scope
Runtime instructions are instruction-only and limited: example code issues HTTP requests to gateway.maton.ai / ctrl.maton.ai and reads only the MATON_API_KEY environment variable. The SKILL.md does not instruct reading unrelated files or other environment variables, nor does it direct data to unexpected external endpoints beyond the Maton service.
Install Mechanism
No install spec and no code files to be written/executed by an installer — lowest-risk delivery mechanism. The skill is instruction-only.
Credentials
Only MATON_API_KEY is required and used in examples, which is proportionate for a gateway/proxy to Maton. Minor mismatch: registry metadata lists required env var but 'primary credential' is unset; this is likely benign but inconsistent.
Persistence & Privilege
The skill does not request always: true, does not require config paths, and is user-invocable only. No persistent or elevated platform privileges are requested.
What to consider before installing
This skill's code and examples legitimately use a single MATON_API_KEY to call maton.ai gateways (appropriate for a WhatsApp Business proxy). However, the package/registry metadata contains several inconsistencies (different skill name, differing ownerId and slug in _meta.json, version mismatch, and no homepage). Before installing: 1) verify the publisher identity (confirm the ownerId and that maton.ai is the intended provider); 2) prefer skills with a homepage or official publisher record; 3) only provide a MATON API key scoped/minimized for testing (use a sandbox/test account if possible); 4) rotate the API key after testing or if you become unsure; 5) monitor outgoing traffic and logs for unexpected endpoints. These checks will reduce risk in case the metadata mismatches indicate repackaging or a supply-chain issue.

Like a lobster shell, security has layers — review code before you run it.

latestvk97e95z8k3h1vaqywed87jrtmx8396km

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🧠 Clawdis
EnvMATON_API_KEY

Comments