WhatsApp cloud api reference
v1.0.0Use when implementing WhatsApp messaging via Meta Cloud API, or diagnosing failures like message not delivered, template rejected, webhook issues, phone not...
⭐ 0· 384·0 current·0 all-time
byRoman@romanbaz
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The name/description match the SKILL.md content (examples for sending messages, templates, media, and webhooks). However the registry metadata says 'Required env vars: none' and 'Primary credential: none' even though the examples rely on secrets/IDs (e.g., WA_ACCESS_TOKEN, WA_PHONE_NUMBER_ID, VERIFY_TOKEN). That omission is incoherent and downplays the need for sensitive credentials.
Instruction Scope
The instructions and code samples stay inside the stated purpose (sending messages, templates, media, webhook handling, constraints). There is no obvious instruction to read arbitrary system files or to transmit data to endpoints outside Meta's graph.facebook.com or user-specified media hosts. Note: the SKILL.md references environment variables and webhook setup that are needed at runtime but were not declared in metadata.
Install Mechanism
This is an instruction-only skill with no install spec and no code files — lowest install risk. The samples suggest installing common libs (axios, requests) but the skill does not itself install packages or download remote code.
Credentials
The SKILL.md expects sensitive values in environment variables (WA_ACCESS_TOKEN, WA_PHONE_NUMBER_ID, VERIFY_TOKEN and potentially a System User token), yet the skill declares none. Requiring these credentials would be proportional to the purpose, but failing to declare them is a red flag: users won't be warned that secrets are needed, and an automated system may not protect them appropriately.
Persistence & Privilege
The skill is not always-included and does not request persistent privileges. There is no evidence it attempts to modify other skills or system-wide settings.
What to consider before installing
This appears to be a legitimate WhatsApp Cloud API reference, but the registry metadata is missing required environment variables that the examples clearly use. Before installing or enabling this skill:
- Treat the examples as requiring secrets: WA_ACCESS_TOKEN (access token), WA_PHONE_NUMBER_ID (phone number id), and VERIFY_TOKEN (webhook verification token). Ask the author to declare these explicitly in requires.env/primaryEnv.
- Do not paste real access tokens into public or shared prompts. Store tokens in a secure environment and use least privilege (narrow scopes, rotate tokens).
- Verify the SKILL.md claim about a "permanent" System User token — prefer short-lived tokens or token rotation when possible.
- Inspect the rest of the SKILL.md (it was truncated in your copy) to confirm there are no instructions to forward payloads to non-Meta endpoints or to exfiltrate message contents.
- Because this is instruction-only, it won't install software, but the skill assumes your runtime will provide the environment variables and networking needed to call Meta APIs and serve a public HTTPS webhook. Ensure your hosting, TLS, and webhook handling meet Meta's security recommendations.
If you want, provide the full (untruncated) SKILL.md or ask the skill author to update the metadata to list the required env vars — that would raise this assessment to benign if no other issues appear.Like a lobster shell, security has layers — review code before you run it.
latestvk97e3j2p7c1s99794me4khyqq181q4at
License
MIT-0
Free to use, modify, and redistribute. No attribution required.