ClawHub

P-API - WhatsApp API

v1.2.1

Automate WhatsApp messaging, interactive content, instance and group management, catalogs, and webhooks via a scalable microservices API with an admin panel.

1· 1.8k·0 current·0 all-time
byRafa Martins@rafacpti23
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The SKILL.md clearly describes a WhatsApp automation API (endpoints, x-api-key header, base URL, integrations). However the registry metadata lists no required environment variables or primary credential despite the instructions explicitly requiring an API key and base URL; that inconsistency is unexplained.
Instruction Scope
Instructions remain within the stated WhatsApp API scope (send messages, manage instances, webhooks, integrations). They direct network calls to an external service (papi.api.br or a user-provided base URL) and reference configuring TOOLS.md (which is not included). The instructions do not request unrelated local files or system state.
Install Mechanism
No install spec and no code files — this is instruction-only documentation, so nothing will be written to disk at install time (lowest install risk).
!
Credentials
The skill's docs require an API key (x-api-key) and a base URL and reference other service tokens (e.g., Chatwoot token) for integrations, but the manifest declares no required env vars or primary credential. Requesting external service tokens would be proportionate for this functionality, but the omission in the manifest is a red flag (either an oversight or incomplete packaging).
Persistence & Privilege
always is false and there is no install script. The skill does allow normal autonomous invocation (platform default), which is expected for an integration skill. It does not request persistent system privileges or modify other skills.
What to consider before installing
This skill appears to be documentation for a WhatsApp API (papi.api.br) and will instruct the agent to call external endpoints using an API key and base URL. Before installing, confirm who operates the endpoint (papi.api.br), and do not provide platform-wide secrets unless you trust the provider. Ask the publisher to: (1) update the manifest to declare required env vars (base URL and API key) so the platform can request them explicitly, (2) provide a privacy/security statement and contact, and (3) supply the missing TOOLS.md or clear instructions on where the agent should store credentials. If you plan to use webhooks, ensure your webhook endpoint validates incoming requests (signature or IP allowlist) and avoid exposing high-privilege credentials. If you cannot verify the provider or the missing manifest fields, treat installation as higher-risk and consider alternative well-known integrations.

Like a lobster shell, security has layers — review code before you run it.

latestvk979vfqw5r3bqqaafy2vh18dad80rmqw

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments