moltflow
Automates WhatsApp Business interactions, enabling session management, messaging, and real-time event monitoring for enhanced customer engagement.
Install this skill
Security score
The moltflow skill was audited on May 27, 2026 and we found 43 security issues across 2 threat categories. Review the findings below before installing.
Categories Tested
Security Issues
Curl to non-GitHub URL
| 436 | curl -X POST https://apiv2.waiflow.app/api/v2/sessions \ |
Curl to non-GitHub URL
| 442 | curl -X POST https://apiv2.waiflow.app/api/v2/sessions/{session_id}/start \ |
Curl to non-GitHub URL
| 446 | curl https://apiv2.waiflow.app/api/v2/sessions/{session_id}/qr \ |
Curl to non-GitHub URL
| 450 | curl -X POST https://apiv2.waiflow.app/api/v2/messages/send \ |
Curl to non-GitHub URL
| 463 | curl -X POST https://apiv2.waiflow.app/api/v2/webhooks \ |
Curl to non-GitHub URL
| 478 | curl https://apiv2.waiflow.app/api/v2/groups/available/{session_id} \ |
Curl to non-GitHub URL
| 482 | curl -X POST https://apiv2.waiflow.app/api/v2/groups \ |
Webhook reference - potential data exfiltration
| 3 | description: "WhatsApp Business automation API for sessions, messaging, groups, labels, and webhooks. Use when: whatsapp, send message, create session, qr code, monitor group, label contacts, webhook. |
Webhook reference - potential data exfiltration
| 19 | Manage WhatsApp sessions, send messages, monitor groups, organize with labels, and receive real-time events via webhooks. |
Webhook reference - potential data exfiltration
| 29 | **Logistics company** — "Set up a webhook so my dispatch system gets notified the moment a driver sends a delivery confirmation photo." |
Webhook reference - potential data exfiltration
| 37 | - "Set up a webhook" or "listen for WhatsApp events" |
Webhook reference - potential data exfiltration
| 55 | | `webhooks` | `read/manage` | |
Webhook reference - potential data exfiltration
| 358 | ## Webhooks |
Webhook reference - potential data exfiltration
| 364 | | GET | `/webhooks` | List all webhooks | |
Webhook reference - potential data exfiltration
| 365 | | POST | `/webhooks` | Create a webhook | |
Webhook reference - potential data exfiltration
| 366 | | GET | `/webhooks/{id}` | Get webhook details | |
Webhook reference - potential data exfiltration
| 367 | | PATCH | `/webhooks/{id}` | Update a webhook | |
Webhook reference - potential data exfiltration
| 368 | | DELETE | `/webhooks/{id}` | Delete a webhook | |
Webhook reference - potential data exfiltration
| 369 | | POST | `/webhooks/{id}/test` | Send a test delivery | |
Webhook reference - potential data exfiltration
| 383 | ### Create Webhook |
Webhook reference - potential data exfiltration
| 385 | **POST** `/webhooks` |
Webhook reference - potential data exfiltration
| 387 | > **Security:** Webhook URLs are validated server-side — private IPs, cloud metadata endpoints, and non-HTTPS schemes are blocked. Only configure endpoints you control. Always set a `secret` for HMAC |
Webhook reference - potential data exfiltration
| 392 | "url": "https://example.com/webhooks/moltflow", |
Webhook reference - potential data exfiltration
| 404 | "url": "https://example.com/webhooks/moltflow", |
Webhook reference - potential data exfiltration
| 411 | ### Webhook Payload |
Webhook reference - potential data exfiltration
| 413 | Deliveries include an HMAC-SHA256 signature in the `X-Webhook-Signature` header (if a secret is configured). Verify this to ensure authenticity. |
Webhook reference - potential data exfiltration
| 460 | ### Set up a webhook for incoming messages |
Webhook reference - potential data exfiltration
| 463 | curl -X POST https://apiv2.waiflow.app/api/v2/webhooks \ |
Webhook reference - potential data exfiltration
| 468 | "url": "https://myapp.com/webhooks/whatsapp", |
External URL reference
| 14 | > ***Due to high demand and a recent registration issue, we're offering our top-tier Business plan with unlimited quotas for just $19.90/month on yearly billing — for a limited time only.*** [**Claim |
External URL reference
| 15 | > Free tier available. [Sign up](https://molt.waiflow.app/checkout?plan=free) |
External URL reference
| 43 | 1. **MOLTFLOW_API_KEY** -- Generate from the [MoltFlow Dashboard](https://molt.waiflow.app) under Settings > API Keys |
External URL reference
| 45 | 3. Base URL: `https://apiv2.waiflow.app/api/v2` |
External URL reference
| 392 | "url": "https://example.com/webhooks/moltflow", |
External URL reference
| 404 | "url": "https://example.com/webhooks/moltflow", |
External URL reference
| 436 | curl -X POST https://apiv2.waiflow.app/api/v2/sessions \ |
External URL reference
| 442 | curl -X POST https://apiv2.waiflow.app/api/v2/sessions/{session_id}/start \ |
External URL reference
| 446 | curl https://apiv2.waiflow.app/api/v2/sessions/{session_id}/qr \ |
External URL reference
| 450 | curl -X POST https://apiv2.waiflow.app/api/v2/messages/send \ |
External URL reference
| 463 | curl -X POST https://apiv2.waiflow.app/api/v2/webhooks \ |
External URL reference
| 468 | "url": "https://myapp.com/webhooks/whatsapp", |
External URL reference
| 478 | curl https://apiv2.waiflow.app/api/v2/groups/available/{session_id} \ |
External URL reference
| 482 | curl -X POST https://apiv2.waiflow.app/api/v2/groups \ |