ClawHub

GREEN-API

v1.0.0

Send and receive WhatsApp messages, manage groups, contacts, and instances via GREEN-API MCP gateway.

0· 10·0 current·0 all-time
byGreen API@support-greenapi
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
The skill is described as a GREEN-API WhatsApp integration and its tools (connect, send messages, manage groups, instance provisioning with partner_token) match that purpose. One small inconsistency: the README instructs adding an MCP server URL to the OpenClaw config (~/.openclaw/openclaw.json), but the skill metadata states no required config paths. Asking for instance_id/api_token/partner_token as tool params is expected for this purpose.
Instruction Scope
SKILL.md stays within the WhatsApp/GREEN-API domain: it instructs connecting an instance, using message/group/instance APIs, and optionally setting webhooks. Two items to flag for attention: (1) it says credentials are validated and "stored for the session" but does not specify storage location or retention — that should be clarified before trusting long-lived credentials; (2) the skill includes settings to configure webhook_url/webhook_url_token which, if set to arbitrary external endpoints, could forward incoming messages or events outside the user's control (this is a normal feature of webhook-capable integrations but is a data-exfiltration vector if misused).
Install Mechanism
Instruction-only skill with no install spec and no code files — lowest install risk. Nothing is downloaded or written by an automated installer as part of the skill package.
Credentials
No environment variables or system credentials are requested in the metadata. Credentials (instance_id, api_token, partner_token) are supplied as tool parameters, which is proportionate. The README's instruction to modify an OpenClaw config file is expected for adding an MCP server but is not declared in required config paths — a minor metadata omission.
Persistence & Privilege
The skill is not marked always:true and uses normal autonomous invocation. The only persistence implications in the docs are (a) adding an MCP server entry to the user's OpenClaw config (explicit setup step in README) and (b) unspecified session storage of credentials. Neither is inherently malicious, but you should confirm where credentials are persisted and how to remove them.
Assessment
This skill appears to do what it says: integrate OpenClaw with GREEN-API. Before installing or using it, (1) confirm you trust green-api.com and the specific MCP URL you add to ~/.openclaw/openclaw.json; (2) only provide instance_id/api_token/partner_token when you understand how they are stored and how to revoke them — ask the skill author where session credentials are persisted and how to clear them; (3) be cautious when configuring webhook_url/webhook_url_token (these will send incoming messages/events to that endpoint); (4) rotate tokens if you test the skill with real credentials and remove the MCP entry when no longer needed. If you need higher assurance, request the author to declare required config paths in metadata and to document credential storage/retention explicitly.

Like a lobster shell, security has layers — review code before you run it.

latestvk978a0ajezzszj93q4pt0jk73h84daph

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

💬 Clawdis

Comments