whatsapp-bot-builder
Creates WhatsApp bots using the WhatsApp Business API for automated customer communication and interactive messaging.
Install this skill
Security score
The whatsapp-bot-builder skill was audited on Mar 7, 2026 and we found 27 security issues across 4 threat categories, including 1 high-severity. Review the findings below before installing.
Categories Tested
Security Issues
Template literal with variable interpolation in command context
| 90 | await fetch(`https://graph.facebook.com/v21.0/${PHONE_ID}/messages`, { |
Template literal with variable interpolation in command context
| 93 | 'Authorization': `Bearer ${TOKEN}`, |
Template literal with variable interpolation in command context
| 195 | const media = await fetch(`https://graph.facebook.com/v21.0/${mediaId}`, { |
Template literal with variable interpolation in command context
| 196 | headers: { 'Authorization': `Bearer ${TOKEN}` } |
Template literal with variable interpolation in command context
| 201 | headers: { 'Authorization': `Bearer ${TOKEN}` } |
Webhook reference - potential data exfiltration
| 9 | integration, whatsapp cloud api, whatsapp template, whatsapp webhook, |
Webhook reference - potential data exfiltration
| 24 | Builds WhatsApp bots using the official Cloud API (hosted by Meta). Covers account setup, webhook configuration, sending and receiving messages, template messages for outbound campaigns, interactive c |
Webhook reference - potential data exfiltration
| 43 | WHATSAPP_VERIFY_TOKEN=my_secret # Webhook verification token (you choose this) |
Webhook reference - potential data exfiltration
| 46 | ### 2. Webhook Setup |
Webhook reference - potential data exfiltration
| 48 | WhatsApp sends incoming messages via webhooks: |
Webhook reference - potential data exfiltration
| 55 | // Webhook verification (GET) |
Webhook reference - potential data exfiltration
| 56 | app.get('/webhook', (req, res) => { |
Webhook reference - potential data exfiltration
| 69 | app.post('/webhook', (req, res) => { |
Webhook reference - potential data exfiltration
| 82 | Register webhook URL in Meta Developer Console → WhatsApp → Configuration. |
Webhook reference - potential data exfiltration
| 225 | - **Must have HTTPS** — WhatsApp requires TLS for webhooks |
Webhook reference - potential data exfiltration
| 228 | - Implement message deduplication (WhatsApp may retry webhook deliveries) |
Webhook reference - potential data exfiltration
| 236 | **Output:** A Node.js webhook server with: |
Webhook reference - potential data exfiltration
| 256 | - Always respond HTTP 200 to webhooks within 5 seconds (process async) |
Webhook reference - potential data exfiltration
| 258 | - Implement idempotency — WhatsApp retries webhook deliveries on timeout |
Webhook reference - potential data exfiltration
| 265 | - For high volume: use a message queue between webhook receiver and processor |
Ngrok tunnel reference
| 226 | - Use ngrok for local development |
Access to .env file
| 61 | if (mode === 'subscribe' && token === process.env.WHATSAPP_VERIFY_TOKEN) { |
External URL reference
| 30 | 1. Create a Meta Business account at https://business.facebook.com |
External URL reference
| 31 | 2. Go to https://developers.facebook.com → Create App → Business type |
External URL reference
| 90 | await fetch(`https://graph.facebook.com/v21.0/${PHONE_ID}/messages`, { |
External URL reference
| 186 | link: 'https://example.com/photo.jpg', // Public URL |
External URL reference
| 195 | const media = await fetch(`https://graph.facebook.com/v21.0/${mediaId}`, { |