Whatsapp Business 1.0.3
ReviewAudited by ClawScan on May 10, 2026.
Overview
This is a disclosed WhatsApp Business API guide that uses Maton OAuth/API credentials and can send real business messages, but the provided artifacts do not show hidden or malicious behavior.
Use this only if you trust Maton’s gateway and intend the agent to operate a WhatsApp Business account. Protect MATON_API_KEY, verify the connection ID, and require clear confirmation before sending messages, changing templates, or deleting connections.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If used carelessly, the agent could make real WhatsApp Business API changes or send customer messages under the connected account.
The skill exposes a broad provider API surface through the gateway. This is expected for an API-integration skill, but it can include write operations such as sending messages or managing resources.
Replace `{native-api-path}` with the actual WhatsApp Business API endpoint path. The gateway proxies requests to `graph.facebook.com`Confirm recipients, message content, endpoint paths, and destructive or account-management actions before use.
Anyone or any agent with access to the configured MATON_API_KEY may be able to act through the connected WhatsApp Business account.
The Maton API key and managed OAuth connection let requests act with delegated WhatsApp Business account authority.
The gateway proxies requests to `graph.facebook.com` and automatically injects your OAuth token.
Store MATON_API_KEY securely, use the least-privileged intended account/connection, and revoke or delete connections that are no longer needed.
Requests may fail or could target an unintended connection if the copied identifier is accepted by the service.
The documentation includes a concrete connection identifier in an example header instead of a placeholder, which could be copied accidentally or reveal a resource identifier.
req.add_header('Maton-Connection', '21fd90f9-5935-43cd-b6c8-bde9d915ca80')Replace the sample value with the user's own connection ID; the skill author should change the example to a placeholder.
Customer phone numbers, message text, and related business data may be processed by Maton and Meta/WhatsApp when the skill is used.
Message payloads and recipient identifiers are sent through Maton's gateway to the WhatsApp/Graph API. This is disclosed and purpose-aligned, but it is still a third-party data flow.
req = urllib.request.Request('https://gateway.maton.ai/whatsapp-business/v21.0/PHONE_NUMBER_ID/messages', data=data, method='POST')Only send data that is appropriate for WhatsApp Business processing and your organization’s privacy/compliance requirements.