automate-notifyer
Automates WhatsApp messaging with templates, AI bots, and analytics through the Notifyer by WhatsAble platform.
Install this skill
Security score
The automate-notifyer skill was audited on May 12, 2026 and we found 62 security issues across 2 threat categories. Review the findings below before installing.
Categories Tested
Security Issues
Webhook reference - potential data exfiltration
| 7 | message delivery logs, and manage developer webhooks (n8n / Make / Zapier integrations) |
Webhook reference - potential data exfiltration
| 8 | and IO webhooks (bidirectional incoming & outgoing). Use this skill after setup-notifyer |
Webhook reference - potential data exfiltration
| 24 | analytics, and webhooks — on a Notifyer account via the Console API (`https://api.insightssystem.com`). |
Webhook reference - potential data exfiltration
| 121 | ### Webhooks |
Webhook reference - potential data exfiltration
| 124 | node scripts/list-webhooks.js --type dev --pretty |
Webhook reference - potential data exfiltration
| 125 | node scripts/list-webhooks.js --type io --pretty |
Webhook reference - potential data exfiltration
| 126 | node scripts/create-webhook.js --url "https://hook.eu2.make.com/abc" --incoming --outgoing --signature |
Webhook reference - potential data exfiltration
| 127 | node scripts/create-webhook.js --type io --url "https://myapp.com/wh" --signature |
Webhook reference - potential data exfiltration
| 128 | node scripts/update-webhook.js --id 5 --status false # pause dev webhook |
Webhook reference - potential data exfiltration
| 129 | node scripts/update-webhook.js --type io --id "abc" --url "https://new-url.com" |
Webhook reference - potential data exfiltration
| 130 | node scripts/delete-webhook.js --id 5 --confirm |
Webhook reference - potential data exfiltration
| 131 | node scripts/delete-webhook.js --type io --id "abc" --confirm |
Webhook reference - potential data exfiltration
| 135 | Dev webhook `id` is integer; IO webhook `id` is text UUID. |
Webhook reference - potential data exfiltration
| 136 | See `references/webhooks-reference.md` for full field reference and CORS/auth details. |
Webhook reference - potential data exfiltration
| 273 | ### Webhooks |
Webhook reference - potential data exfiltration
| 275 | - **Two distinct webhook systems** — "Dev webhooks" (`zapier_make_webhooks` table) are for |
Webhook reference - potential data exfiltration
| 276 | outbound automation triggers to n8n, Make, or Zapier. "IO webhooks" |
Webhook reference - potential data exfiltration
| 277 | (`webhook_incoming_and_outgoing` table) are for bidirectional real-time data pipelines. |
Webhook reference - potential data exfiltration
| 279 | - **Dev webhook endpoints ALL require `Origin: https://console.notifyer-systems.com`** — |
Webhook reference - potential data exfiltration
| 280 | Xano runs `/cors_origin_console` as step 1 on every `/webhook/dev/*` endpoint. Scripts |
Webhook reference - potential data exfiltration
| 282 | - **IO webhook endpoints do NOT require a CORS header** — none of the `/user/io/webhook` |
Webhook reference - potential data exfiltration
| 283 | endpoints run `/cors_origin_console`. Do not add Origin header to IO webhook calls. |
Webhook reference - potential data exfiltration
| 284 | - **Dev webhook id is integer; IO webhook id is TEXT** — never cast an IO webhook id to |
Webhook reference - potential data exfiltration
| 285 | an integer. Store and pass it as a string. The `update-webhook.js` and `delete-webhook.js` |
Webhook reference - potential data exfiltration
| 287 | - **Duplicate URL check (dev only)** — `create-webhook.js --type dev` will return |
Webhook reference - potential data exfiltration
| 288 | `{ ok: false, blocked: true }` if a dev webhook with the same URL already exists |
Webhook reference - potential data exfiltration
| 290 | - **`DELETE /webhook/dev/:id` is a PUBLIC ENDPOINT in Xano** — Xano marks this endpoint |
Webhook reference - potential data exfiltration
| 291 | as Public with only a CORS check and no `/get_user` call. `delete-webhook.js` mitigates |
Webhook reference - potential data exfiltration
| 292 | this at the script level: it first calls `GET /webhook/dev` (fully authenticated) to list |
Webhook reference - potential data exfiltration
| 293 | the account's webhooks, then verifies the requested ID belongs to the authenticated account |
Webhook reference - potential data exfiltration
| 294 | before allowing the delete. An attacker with only a webhook ID but no valid token cannot |
Webhook reference - potential data exfiltration
| 295 | use this script to delete a webhook. The raw API endpoint itself remains unauthenticated — |
Webhook reference - potential data exfiltration
| 297 | - **IO DELETE is fully authenticated** — unlike dev webhook delete, IO webhook delete |
Webhook reference - potential data exfiltration
| 298 | (`DELETE /user/io/webhook`) does run `/get_user`. It is safe. |
Webhook reference - potential data exfiltration
| 306 | - **IO PATCH `webhook` field is singular** — the PATCH body for IO webhooks uses `webhook` |
Webhook reference - potential data exfiltration
| 307 | (singular) while the GET response field is named `webhooks` (plural). The `update-webhook.js` |
Webhook reference - potential data exfiltration
| 310 | `{ is_incomingOutgoing_active: bool }` globally enables/disables the IO webhook feature |
Webhook reference - potential data exfiltration
| 311 | for the account. Individual IO webhook `status` flags are independent of this global toggle. |
Webhook reference - potential data exfiltration
| 312 | Both must be true for an IO webhook to receive events. |
Webhook reference - potential data exfiltration
| 316 | - **Update uses fetch-then-patch** — both `update-webhook.js` types call the list endpoint |
Webhook reference - potential data exfiltration
| 332 | | Developer/IO Webhooks | `/api:qh9OQ3OW` | Dev webhooks (Make/n8n/Zapier), IO webhooks, feature toggle, manual phone registration | |
Webhook reference - potential data exfiltration
| 358 | || `scripts/list-webhooks.js` | `GET /api:qh9OQ3OW/webhook/dev` or `/user/io/webhook` — list dev or IO webhooks (--type dev|io) | |
Webhook reference - potential data exfiltration
| 359 | || `scripts/create-webhook.js` | `POST /webhook/dev/create` or `/user/io/webhook` — create a webhook with triggers, signature key, and status | |
Webhook reference - potential data exfiltration
| 360 | || `scripts/update-webhook.js` | `PATCH /webhook/dev/:id` or `/user/io/webhook` — fetch-then-patch update for URL, status, triggers | |
Webhook reference - potential data exfiltration
| 361 | || `scripts/delete-webhook.js` | `DELETE /webhook/dev/:id` or `/user/io/webhook` — permanent delete with --confirm safety gate | |
Webhook reference - potential data exfiltration
| 371 | - `references/webhooks-reference.md` — Dev webhook and IO webhook full API reference: all endpoints, data types, CORS rules, id type differences, HMAC signature keys, feature toggle, manual phone regi |
Webhook reference - potential data exfiltration
| 389 | - **IO webhook `id` is a text UUID, not an integer.** Unlike dev webhook IDs. All IO webhook scripts handle this correctly — but external tools must treat the ID as a string. |
Webhook reference - potential data exfiltration
| 390 | - **`DELETE /webhook/dev/:id` is a public endpoint in Xano (no server-side user auth check).** `delete-webhook.js` adds an ownership verification step (authenticated `GET /webhook/dev` first) to block |
Webhook reference - potential data exfiltration
| 391 | - **IO webhook global feature toggle has no dedicated script.** `PATCH /api:qh9OQ3OW/user/incoming_outgoing/feature/status` (`{ is_incomingOutgoing_active: bool }`) globally enables or disables the IO |
Webhook reference - potential data exfiltration
| 400 | ||references:{analytics-reference.md,bots-reference.md,broadcasts-reference.md,templates-reference.md,webhooks-reference.md} |
Webhook reference - potential data exfiltration
| 401 | ||scripts:{create-bot.js,create-broadcast.js,create-template.js,create-webhook.js,delete-bot.js,delete-broadcast.js,delete-template.js,delete-webhook.js,get-bot.js,get-broadcast.js,get-message-analyti |
External URL reference
| 17 | api-base: https://api.insightssystem.com |
External URL reference
| 24 | analytics, and webhooks — on a Notifyer account via the Console API (`https://api.insightssystem.com`). |
External URL reference
| 41 | export NOTIFYER_API_BASE_URL="https://api.insightssystem.com" |
External URL reference
| 57 | --body "Check out our offer!" --type image --media-url "https://example.com/banner.jpg" |
External URL reference
| 126 | node scripts/create-webhook.js --url "https://hook.eu2.make.com/abc" --incoming --outgoing --signature |
External URL reference
| 127 | node scripts/create-webhook.js --type io --url "https://myapp.com/wh" --signature |
External URL reference
| 129 | node scripts/update-webhook.js --type io --id "abc" --url "https://new-url.com" |
External URL reference
| 197 | `POST https://api.openai.com/v1/assistants` before saving the bot. Both success and failure |
External URL reference
| 228 | - **Log endpoint requires CORS header** — `GET /api:ereqLKj6/log` runs `/cors_origin_console` as its first step. `get-message-logs.js` sends `Origin: https://console.notifyer-systems.com` automaticall |
External URL reference
| 236 | - **All broadcast endpoints require `Origin: https://console.notifyer-systems.com` header** — |
External URL reference
| 279 | - **Dev webhook endpoints ALL require `Origin: https://console.notifyer-systems.com`** — |