whatsapp-mcp-extended
An extended Model Context Protocol (MCP) server that enables programmatic interaction with WhatsApp via ~41 MCP tools (messaging, media, reactions, editing/deleting, chat history, contacts, group management, polls, presence, profile data, blocklist, and “newsletters/channels”). It also includes a webhook system for incoming events with HMAC-SHA256 signatures and retry/backoff, plus a small webhook UI and supporting components (WhatsApp bridge in Go, SQLite storage).
Score Breakdown
⚙ Agent Friendliness
🔒 Security
Webhook security is claimed via HMAC-SHA256 signatures with matching/retry/backoff, which is a positive signal. However, the provided README does not show how webhook secrets are configured, how MCP access is authorized, or whether webhook/UI endpoints are protected when exposed beyond localhost. TLS requirement and secret-handling practices are not documented in the provided text.
⚡ Reliability
Best When
You want a local/self-hosted WhatsApp automation interface for agents and tools (MCP + webhooks) and can manage operational concerns (hosting, secrets, monitoring).
Avoid When
You cannot secure webhook endpoints/signing secrets, or you need documented, fine-grained rate limiting and robust API contracts for large-scale usage.
Use Cases
- • Send and manage WhatsApp messages (text, files, audio) from an agent/workflow
- • Moderate and administer groups (members, admin roles, leave, metadata)
- • Implement reactions, message edit/delete workflows, and read/seen status updates
- • Run polls inside chats and manage their lifecycle
- • Sync and search chat history / build message context windows for RAG or assistants
- • React to inbound WhatsApp events in near-real-time via HTTP webhooks
- • Manage contact metadata such as nicknames
- • Track presence/online status and subscribe to presence updates
Not For
- • High-assurance production systems without additional security hardening and operational controls
- • Use cases requiring official WhatsApp Business API compliance/guarantees beyond community/bridge implementations
- • Applications that need strong contractual SLA and documented uptime/versioning guarantees from the package itself
Interface
Authentication
README indicates webhook security uses HMAC-SHA256 signatures, but no specific details are provided in the text about how keys are provisioned/rotated for the webhook UI. Authentication/authorization for the MCP tools themselves is not described in the README excerpt (likely depends on local network/process setup).
Pricing
Self-hosted open-source project; no pricing info in provided content.
Agent Metadata
Known Gotchas
- ⚠ WhatsApp bridging/connectivity issues may cause failures (e.g., QR/authentication flow and “connected” state).
- ⚠ Tool semantics may not be idempotent (e.g., sending messages/reactions) unless the underlying implementation explicitly de-duplicates.
- ⚠ Webhook matching supports regex/contains; incorrect patterns could cause unintended triggers.
- ⚠ History sync/request older messages may be rate/availability dependent; retries may re-deliver events unless consumer deduplicates.
Alternatives
Full Evaluation Report
Comprehensive deep-dive: security analysis, reliability audit, agent experience review, cost modeling, competitive positioning, and improvement roadmap for whatsapp-mcp-extended.
AI-powered analysis · PDF + markdown · Delivered within 30 minutes
Package Brief
Quick verdict, integration guide, cost projections, gotchas with workarounds, and alternatives comparison.
Delivered within 10 minutes
Score Monitoring
Get alerted when this package's AF, security, or reliability scores change significantly. Stay ahead of regressions.
Continuous monitoring
Scores are editorial opinions as of 2026-03-30.