whatsapp-cloud-api
Pass
Audited by Gen Agent Trust Hub on Mar 13, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- [SAFE]: The skill provides a set of well-documented boilerplate templates and utility scripts for Meta's official WhatsApp Business Cloud API. It correctly implements security protocols such as timing-safe HMAC validation for webhooks and provides guidance on secure token management.\n- [PROMPT_INJECTION]: The skill processes untrusted external data (WhatsApp messages) which constitutes an indirect prompt injection surface if the content is forwarded to an LLM.\n
- Ingestion points: Incoming messages are received via POST requests to the
/webhookendpoint inassets/boilerplate/python/app.pyandassets/boilerplate/nodejs/src/index.ts.\n - Boundary markers: No specific boundary markers or 'ignore' instructions are present in the provided templates to isolate untrusted user input.\n
- Capability inventory: The skill possesses capabilities to send messages and interact with the WhatsApp API, which could be misused if an attacker successfully injects instructions into the processing pipeline.\n
- Sanitization: The boilerplate code provides basic extraction but lacks sanitization or validation of the message body before it is processed by the logic handlers.
Audit Metadata