whatsapp-mcp
An MCP server that bridges an AI client (e.g., Claude Desktop/Cursor) to WhatsApp by letting the agent search contacts and chats, read message history from a local SQLite store, and send text and media via a locally running WhatsApp “bridge” (Go) and webhook forwarding for incoming messages.
Score Breakdown
⚙ Agent Friendliness
🔒 Security
Security concerns: explicit prompt-injection/exfiltration risk is called out. The system stores WhatsApp messages locally in SQLite and can forward incoming messages to an external webhook, increasing data handling risk. App-level authorization/scoped tool permissions are not described; WhatsApp authentication is via QR-based session, but access control for who can call MCP tools appears to rely on local deployment/network controls. TLS and detailed error handling, auth headers, and rate limiting are not described in the README.
⚡ Reliability
Best When
You run it locally/single-user, want agent-driven access to your own WhatsApp data, and can control network exposure to the bridge/webhook endpoints.
Avoid When
You cannot safely handle sensitive messaging data (PII/secrets), or you need strict safeguards against prompt injection/data exfiltration and unauthorized tool use.
Use Cases
- • Agent-assisted WhatsApp support: look up recent messages and draft replies
- • Automated internal workflows that read WhatsApp messages and forward them to an external system via webhook
- • Contact discovery: resolve names from phone numbers/JIDs
- • Lightweight personal assistant: retrieve message context and send text/media to known contacts/groups
Not For
- • Production-grade multi-tenant deployments without additional access controls
- • Use in environments where storing WhatsApp message content locally is disallowed
- • High-assurance compliance workflows without further security review and audit
Interface
Authentication
No user-facing OAuth/scoped authorization is described for the MCP tools; access appears to be controlled by local process/network exposure and the WhatsApp session created via QR authentication.
Pricing
Open-source project; cost is infrastructure/compute and any external webhook receiver costs.
Agent Metadata
Known Gotchas
- ⚠ Potential prompt-injection risk when the agent is allowed to read/send sensitive message content (explicitly warned in README).
- ⚠ Media downloads/sends may require correct message_id/chat_jid context; the agent must supply both for download_media.
- ⚠ Local SQLite storage means agents should be constrained to only the data they are authorized to access (README mentions “only sent to Claude when you allow it”, but enforcement details are not specified).
- ⚠ Bridge is a local service; if exposed on a network, tool access may be reachable without strong app-level auth (not described).
Alternatives
Full Evaluation Report
Comprehensive deep-dive: security analysis, reliability audit, agent experience review, cost modeling, competitive positioning, and improvement roadmap for whatsapp-mcp.
AI-powered analysis · PDF + markdown · Delivered within 30 minutes
Package Brief
Quick verdict, integration guide, cost projections, gotchas with workarounds, and alternatives comparison.
Delivered within 10 minutes
Score Monitoring
Get alerted when this package's AF, security, or reliability scores change significantly. Stay ahead of regressions.
Continuous monitoring
Scores are editorial opinions as of 2026-04-04.