ClawHub

whatsapp biz responder

v1.0.0

Automated customer support for Indian small businesses using WhatsApp Business API. Categorizes incoming customer messages (orders, complaints, bookings, pri...

0· 293·0 current·0 all-time
by@utsavs
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The required env vars (WABA_PHONE_NUMBER_ID, WABA_ACCESS_TOKEN) are appropriate for a WhatsApp Business API responder. However, the SKILL.md instructs reading/writing a business profile at ~/.openclaw/openclaw.json even though no config path is declared in the manifest — that's a mismatch between the manifest and instructions.
!
Instruction Scope
Instructions tell the agent to read a home-directory config (~/.openclaw/openclaw.json), detect language, classify messages, store tickets in agent memory, and forward full conversations to the owner via an "OpenClaw messaging channel (WhatsApp/Telegram)". The forwarding/delivery mechanism and an email address (BUSINESS_EMAIL) are referenced but no outbound-channel credentials or BUSINESS_EMAIL env var are declared. The instructions therefore require access and actions beyond what's declared and grant broad discretion to forward user data.
Install Mechanism
This is an instruction-only skill with no install spec and no code files—no artifacts will be written to disk by an installer. That reduces install-time risk.
!
Credentials
The declared envs (WABA_PHONE_NUMBER_ID, WABA_ACCESS_TOKEN) are proportional. But the SKILL.md references additional configuration items (BUSINESS_EMAIL, OpenClaw/Telegram outbound channel/auth) and a local config path that are not declared as required. Missing declarations make it unclear what secrets or tokens the skill will actually need at runtime.
Persistence & Privilege
The skill stores ticket state in agent memory and will forward messages to the owner; 'always' is false and autonomous invocation is default. Storing customer conversations in memory and forwarding them is expected for escalation but is sensitive behavior the owner should explicitly approve. The skill does not request system-wide privileges or modify other skills.
What to consider before installing
Before installing, ask the author to: (1) explicitly declare any additional required env vars or credentials (e.g., BUSINESS_EMAIL, outbound channel tokens for Telegram/owner messaging), (2) add ~/.openclaw/openclaw.json to the skill's declared required config paths or change the design to use a clearly scoped config location, (3) describe exactly how escalation messages are delivered (which service, which credentials are used), (4) confirm retention and privacy of forwarded customer conversations and tickets (where they are stored, for how long, who can access them), and (5) ensure the WABA_ACCESS_TOKEN has least privileges needed and that you set up the webhook in Meta Business Manager to point only to a trusted endpoint. If the author cannot clarify and update the manifest to match SKILL.md, treat the skill as risky because it may read local config and forward sensitive customer data via undeclared channels.

Like a lobster shell, security has layers — review code before you run it.

latestvk977z21eekjt1eatm1ts1q7h0x81y4e9whatsappvk977z21eekjt1eatm1ts1q7h0x81y4e9whatsapp business respondervk977z21eekjt1eatm1ts1q7h0x81y4e9

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

💬 Clawdis
EnvWABA_PHONE_NUMBER_ID, WABA_ACCESS_TOKEN
Primary envWABA_ACCESS_TOKEN

Comments