whatsapp-mcp
An MCP server that connects to WhatsApp Web (via whatsmeow), syncs messages to a local SQLite database, and exposes WhatsApp functionality (tools/prompts/resources) to MCP-compatible AI clients over an HTTP/SSE endpoint. It supports chat listing, message retrieval with pagination/sender filtering, cross-chat search, finding chats by fuzzy name, sending messages, loading older history, and retrieving the user profile info.
Score Breakdown
⚙ Agent Friendliness
🔒 Security
Security is described as “API key authentication” and “HTTPS ready,” but details are not provided. The API key is embedded in the URL path, which increases leakage risk via logs, browser history, or intermediary proxies. Data is stored locally and includes sensitive WhatsApp content and session credentials; README warns about file permissions. Unofficial WhatsApp Web integration introduces operational and security risk beyond the typical official API threat model.
⚡ Reliability
Best When
You have a trusted environment, can secure local session/database data, and want an AI agent to interact with WhatsApp through MCP tools.
Avoid When
You cannot secure access to the MCP HTTP endpoint (API key in URL path), your threat model includes attackers who could exfiltrate WhatsApp data, or you require clearly documented rate limits/error semantics for automated agent retries.
Use Cases
- • Let an AI summarize or analyze WhatsApp conversations
- • Search for mentions or keywords across all chats
- • Find and reply to someone’s latest messages with context
- • Workflow-style chat automation via MCP prompts/resources
- • Assist with triage by pulling relevant past messages from a local store
Not For
- • Production-grade, high-assurance WhatsApp automation without due diligence
- • Environments requiring strict compliance guarantees or official WhatsApp API support
- • Use by untrusted users/agents without network isolation and strong operational controls
Interface
Authentication
Authentication is described as an API key placed directly in the URL path. The README does not describe fine-grained scopes, rotation, or how the server handles leaked keys (e.g., logging/redaction).
Pricing
Open-source project; no pricing information provided.
Agent Metadata
Known Gotchas
- ⚠ API key is in the URL path; agents/clients or proxies may log URLs (potential key leakage).
- ⚠ No documented rate-limit behavior; agents may need conservative retries/backoff to avoid overload.
- ⚠ WhatsApp unofficial API may be brittle (session/connection changes), which can impact tool reliability.
Alternatives
Full Evaluation Report
Comprehensive deep-dive: security analysis, reliability audit, agent experience review, cost modeling, competitive positioning, and improvement roadmap for whatsapp-mcp.
AI-powered analysis · PDF + markdown · Delivered within 30 minutes
Package Brief
Quick verdict, integration guide, cost projections, gotchas with workarounds, and alternatives comparison.
Delivered within 10 minutes
Score Monitoring
Get alerted when this package's AF, security, or reliability scores change significantly. Stay ahead of regressions.
Continuous monitoring
Scores are editorial opinions as of 2026-03-30.