WhatsApp cloud api reference
ReviewAudited by ClawScan on May 1, 2026.
Overview
This instruction-only WhatsApp API reference is coherent, but it involves real business messaging tokens, outbound messages, and public webhook/media endpoints that should be handled carefully.
This appears safe as a reference-only skill, but before using it in production, verify details with Meta’s official docs, protect WhatsApp access tokens, limit permissions where possible, and confirm before sending real customer messages or exposing public webhook/media URLs.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If mishandled, this token could allow unauthorized WhatsApp Business messaging or account-management actions.
The skill explicitly tells users to create and use a long-lived Meta credential with messaging and management permissions.
Always use a System User token — user tokens expire in 24 hours ... Assign permissions: `whatsapp_business_messaging` + `whatsapp_business_management` ... Generate token — this never expires
Use least-privilege Meta system users where possible, store tokens in a secret manager or protected environment variables, and rotate/revoke tokens if exposed.
Using the examples with live credentials can send real messages to customers or recipients.
The skill provides direct API examples for sending WhatsApp messages through Meta Graph API.
curl -X POST "https://graph.facebook.com/v21.0/YOUR_PHONE_ID/messages" ... -H "Authorization: Bearer YOUR_ACCESS_TOKEN" ... "type":"text","text":{"body":"Hello"}Keep message sending user-directed, confirm recipients and message content, and follow the documented template and 24-hour conversation-window rules.
A poorly protected webhook could receive spoofed or noisy requests, or expose message/status data through logs or handlers.
The skill describes exposing a public webhook endpoint for Meta callbacks, which is expected for WhatsApp integration but creates an external communication boundary.
Set up webhook — needs public HTTPS URL ... must respond in < 10s
Use Meta webhook verification, validate request authenticity where supported, avoid logging sensitive message contents, and keep webhook handlers narrowly scoped.
Users cannot easily verify from the registry metadata whether the reference content matches Meta’s latest official guidance.
The registry metadata does not identify an upstream source or homepage for the reference content.
Source: unknown; Homepage: none
Cross-check implementation details, API versions, permissions, and policy constraints against Meta’s official WhatsApp Cloud API documentation before production use.