ronnycoding/openwa
skills/open-wa/SKILL.md
Control a self-hosted OpenWA WhatsApp API Gateway from the command line. Use this skill whenever the user wants to send WhatsApp messages (text, image, document, location, contact, interactive buttons/lists), read or react to messages, manage WhatsApp sessions and QR-code login, look up or block contacts, create and administer groups, set up webhooks, or manage API keys against an OpenWA instance. Trigger it any time OpenWA, a "WhatsApp gateway", "WhatsApp API", a local WhatsApp server on port 2785, or sending/automating WhatsApp from scripts comes up — even if the user doesn't name the script explicitly. Covers the full OpenWA REST API.
$ install --global
skillsauthnpx skillsauth add ronnycoding/.claude openwaInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Jun 18, 2026, 5:13 AM188.6s4 files scanned
SKILL.md
- name:
- openwa
- description:
- >-
OpenWA CLI
scripts/openwa.py is a zero-dependency Python CLI (standard library only — no
pip install needed) that wraps the entire OpenWA REST API. Prefer it over
hand-writing curl: it handles auth, phone-number formatting, JSON bodies,
multipart file uploads, and query params, and it returns pretty-printed JSON.
Setup & configuration
Configuration resolves as flag → environment variable → default:
| Setting | Flag | Env var | Default |
| --- | --- | --- | --- |
| Base URL | --base-url | OPENWA_BASE_URL | http://localhost:2785 |
| API key | --api-key | OPENWA_API_KEY | dev-admin-key |
| Session id | -s / --session | OPENWA_SESSION | default |
For real use, export the key once rather than passing it each time:
export OPENWA_API_KEY="dev-admin-key" # use the instance's real key in production
export OPENWA_BASE_URL="http://localhost:2785"
python3 scripts/openwa.py health
Always confirm connectivity with health before assuming a command failure is
your fault — a transport error tells the user the instance is down or the URL is
wrong, which is a different problem than a 4xx from the API.
Mental model
OpenWA is multi-session: one running gateway can host several linked WhatsApp
numbers, each identified by a session id. Almost every command operates on a
session (default default). To act as a different number, pass -s <session>.
A brand-new session is INITIALIZING and must be authenticated by scanning a QR
code in the phone's WhatsApp app (Linked Devices). Typical bring-up:
python3 scripts/openwa.py sessions create --id sales --name "Sales line"
python3 scripts/openwa.py sessions qr sales --format image --out sales-qr.png # scan this
python3 scripts/openwa.py sessions get sales # status -> CONNECTED
Phone numbers can be passed bare (628123456789) or as full JIDs
([email protected]); the CLI normalizes them, including stripping +, spaces,
and dashes. Group ids get @g.us appended automatically.
Common tasks
# Send a text message
python3 scripts/openwa.py send text 628123456789 "Hello from OpenWA!"
# Send an image (by URL, by local file via multipart, or base64)
python3 scripts/openwa.py send image 628123456789 --url https://x/p.jpg --caption "Hi"
python3 scripts/openwa.py send image 628123456789 --file ./photo.jpg --caption "Hi"
# Reply quoting a message and mention someone
python3 scripts/openwa.py send text 628123456789 "see above" --quoted MSG_ABC --mention 628111222333
# Read recent chat history, then react
python3 scripts/openwa.py messages list 628123456789 --limit 20
python3 scripts/openwa.py messages react MSG_ABC 👍
# Check a number is on WhatsApp before messaging
python3 scripts/openwa.py contacts exists 628123456789
# Create a group and add people
python3 scripts/openwa.py groups create --name "Project X" --participant 628111 --participant 628222
python3 scripts/openwa.py groups invite-code 120363123456789
# Subscribe a webhook to incoming messages
python3 scripts/openwa.py webhooks create --url https://my.server/wh \
--event message.received --event message.ack
Interactive list messages take a JSON sections array — write it to a file
and pass --sections @sections.json for readability.
Every command and its flags are discoverable: python3 scripts/openwa.py --help
and python3 scripts/openwa.py <group> --help (e.g. send --help). For the full
endpoint map, body shapes, and CLI-to-endpoint mapping, read
references/api.md.
Output, errors, and scripting
Output is pretty-printed JSON on success. On failure the tool prints the API's
error envelope (or a transport message) to stderr and exits non-zero, so it
composes in shell pipelines. To post-process, pipe stdout to jq:
python3 scripts/openwa.py sessions list | jq '.data[] | {id, status}'
For any endpoint not covered by a dedicated subcommand, use the raw escape hatch:
python3 scripts/openwa.py request GET /api/sessions/default/messages \
--data '{"phone":"[email protected]"}'
Safety notes
- Sending is real and irreversible. Messages go to live WhatsApp recipients.
When the user's intent or the recipient is ambiguous, confirm the number and
body before sending, and prefer
contacts existsfirst. messages deletedefaults to deleting for everyone; pass--no-for-everyoneto remove only on this side.sessions logout/sessions deleteclear auth and require re-scanning a QR to restore the number — don't run them casually on a connected session.- Treat the API key as a secret: keep it in
OPENWA_API_KEY, not in committed files or shared command logs.
Related Skills
ronnycoding/webgl-expert
development
VerifiedTrustedCommunity
Expert guide for WebGL API development including 3D graphics, shaders (GLSL), rendering pipeline, textures, buffers, performance optimization, and canvas rendering. Use when working with WebGL, 3D graphics, canvas rendering, shaders, GPU programming, or when user mentions WebGL, OpenGL ES, GLSL, vertex shaders, fragment shaders, texture mapping, or 3D web graphics.
18SKILL.mdUpdated Jun 18, 2026
ronnycoding/sentry-cli
tools
VerifiedTrustedCommunity
Guide for using the Sentry CLI to interact with Sentry from the command line. Use when the user asks about viewing issues, events, projects, organizations, making API calls, or authenticating with Sentry via CLI.
18SKILL.mdUpdated Jun 18, 2026
ronnycoding/secure-web-search
development
VerifiedTrustedCommunity
Guide for performing secure web searches with privacy protection, source verification, and information validation. Use when the user wants to search the web securely, verify sources, fact-check information, or mentions secure search, privacy, source validation, or web research.
18SKILL.mdUpdated Jun 18, 2026
ronnycoding/penwa
development
VerifiedTrustedCommunity
Drive the OpenWA WhatsApp HTTP API from the terminal with curl. Use when sending WhatsApp messages (text/image/video/audio/document/location/contact/bulk), managing sessions and QR login, listing contacts/groups/chats, registering webhooks, or managing scoped API keys against an OpenWA server. Triggers on "OpenWA", "penwa", "send WhatsApp via API", "WhatsApp session", or mentions of base URL http://0.0.0.0:2785.
18SKILL.mdUpdated Jun 18, 2026