OpenAi Berto
ReviewAudited by ClawScan on May 10, 2026.
Overview
This appears to be a WhatsApp Business API skill, but it grants broad account-changing messaging authority through a third-party gateway and has inconsistent package identity metadata.
Before installing, verify that this is the intended Maton WhatsApp Business skill, confirm the publisher despite the metadata mismatches, and only provide MATON_API_KEY if you are comfortable with the agent making WhatsApp Business API calls. For each send or account-changing action, explicitly confirm the connection, phone number ID, recipient, and message/template content.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent could send messages or make other WhatsApp Business API changes beyond a narrowly described task if the user gives it the key and does not closely supervise the request.
This exposes a broad raw gateway to WhatsApp Business API endpoints rather than only narrowly scoped helper actions, so an agent with the API key could perform any allowed account operation.
https://gateway.maton.ai/whatsapp-business/{native-api-path} ... Replace `{native-api-path}` with the actual WhatsApp Business API endpoint path. The gateway proxies requests to `graph.facebook.com` and automatically injects your OAuth token.Use this only for explicit WhatsApp tasks, confirm recipient numbers, message content, phone_number_id, connection_id, and any template/account mutations before sending requests.
Messages or account changes could be made through the wrong WhatsApp Business connection if the agent does not explicitly select the intended connection.
The Maton API key and OAuth connection select a real WhatsApp Business account, and the documented default connection behavior can be ambiguous for users with multiple connected accounts.
All requests require the Maton API key in the Authorization header ... If omitted, the gateway uses the default (oldest) active connection.
Always specify the intended Maton-Connection and WhatsApp phone_number_id, and avoid letting the agent rely on the default connection for customer-facing actions.
It is harder to verify that the skill package, registry listing, and claimed Maton WhatsApp integration all come from the same trusted publisher.
This conflicts with the provided registry metadata showing a different owner ID, slug `whatsaoo`, and version `1.0.0`, while the displayed skill name is also different from the SKILL.md name.
"ownerId": "kn75240wq8bnv2qm2xgry748jd80b9r0", "slug": "whatsapp-business", "version": "1.0.3"
Confirm the publisher and package identity before providing a Maton API key or authorizing a WhatsApp Business OAuth connection.
Message data and account requests are handled by a third-party gateway in addition to WhatsApp/Meta.
Customer phone numbers, message contents, and WhatsApp Business API requests pass through Maton's gateway as part of the managed OAuth design.
The gateway proxies requests to `graph.facebook.com` and automatically injects your OAuth token.
Use this only if you trust Maton with the WhatsApp Business data involved, and avoid sending sensitive customer information unless necessary.