guarded-whatsapp-mcp
Governs and automates WhatsApp messaging for AI agents with security controls such as recipient allowlisting, secret scanning, file validation, rate limiting, confirmation gate, and audit logging.
Click on "Install Server".
Wait a few minutes for the server to deploy. Once ready, it will show a "Started" state.
In the chat, type
@followed by the MCP server name and your instructions, e.g., "@guarded-whatsapp-mcpSend 'Meeting at 3pm' to the engineering team."
That's it! The server will respond to your query, and you can continue using it as needed.
Here is a step-by-step guide with screenshots.
guarded-whatsapp-mcp
Govern & automate WhatsApp safely for AI agents.
An MCP server that lets an AI agent (or any MCP client) send WhatsApp messages and files — but only through a security gate you control: a recipient allowlist, secret scanning, file validation, rate limiting, a confirmation gate, and an append-only audit log.
Most WhatsApp bridges send anything, anywhere, with no record. That is fine for a human clicking send. It is not fine for an autonomous agent. guarded-whatsapp-mcp is the governance layer that makes agent-driven WhatsApp safe enough to trust.
This is not a Slack replacement. No channels, no threads, no workspace UI. It makes the WhatsApp you already use safe to automate.
See it in action
Related MCP server: MCP WPPConnect Server
How it works
⚠️ Read this first — unofficial transport & WhatsApp Terms
This server governs access to a transport; by default that transport is the unofficial
whatsmeow-based bridge (e.g.
whatsapp-mcp), which speaks WhatsApp Web's
private protocol.
An unofficial client violates WhatsApp's Terms of Service and can get a number banned. A reverse-engineered client cannot avoid this.
Use a secondary / non-critical number. Never your primary or business-critical one.
Not for production customer messaging — use the official WhatsApp Business Cloud API. An official Cloud-API backend is on the roadmap; the guard layer is built to front either transport.
The guardrails here reduce operational risk (wrong recipient, leaked secret, spam). They do not change the Terms-of-Service risk of the underlying bridge. We are loud about this on purpose so you can choose with eyes open.
Why teams use it
Without a guard | With guarded-whatsapp-mcp |
Agent can message any number it generates | Fail-closed allowlist — strangers are refused |
A leaked API key sails out in a message | Secret scan blocks it before it sends |
A runaway loop spams the team 200× | Rate limit caps it |
Files arrive as | ASCII-safe filenames + type/size checks |
No idea what the agent sent | Append-only audit log of every attempt |
Accidental sends | Confirmation gate — risky sends must be previewed |
Security controls
Control | What it does |
Recipient allowlist | Fail-closed. With |
Secret / PII scan | Text + captions scanned for API keys, private keys, cloud/Slack/GitHub/OpenAI tokens, JWTs, credit cards (Luhn), national IDs. |
File validation | Extension allowlist + size cap. Filenames sanitized to ASCII (no |
Rate limiting | Sliding window (per-minute + per-hour) stops runaway loops. |
Confirmation gate | Risky sends (unlisted / files / all) need a |
Audit log | Every attempt (sent / blocked / failed) appended to |
Tools
Tool | Gated? | Purpose |
| read-only | Show the allowlist (numbers masked). |
| read-only | Dry-run a send: run every check, return a verdict + |
| send | Send text to an allowlisted recipient through the full gate. |
| send | Send a file (auto ASCII-safe name, type/size checked, caption scanned). |
| read-only | Recent audit records. |
Quickstart
git clone https://github.com/peter-tnc-453/guarded-whatsapp-mcp
cd guarded-whatsapp-mcp
uv venv --python 3.11 && source .venv/bin/activate # Python 3.10+
uv pip install -e .
cp config/allowlist.example.yaml config/allowlist.yaml # edit your allowlist (git-ignored)
# a WhatsApp bridge exposing POST /api/send must be running (the authenticated session).
# whatsmeow bridge: https://github.com/lharries/whatsapp-mcp (first run = QR scan)
python -m wa_guard # run the MCP server (stdio)Register with Claude Code / any MCP client
{
"mcpServers": {
"guarded-whatsapp-mcp": {
"command": "/ABSOLUTE/PATH/guarded-whatsapp-mcp/.venv/bin/python",
"args": ["-m", "wa_guard"],
"env": {
"PYTHONPATH": "/ABSOLUTE/PATH/guarded-whatsapp-mcp/src",
"WA_GUARD_CONFIG": "/ABSOLUTE/PATH/guarded-whatsapp-mcp/config/allowlist.yaml"
}
}
}
}Example — a safe agent flow
// 1) The agent previews first (read-only, sends nothing)
wa_preview(recipient="Alex", file_path="report.pdf")
// → { ok:false, needs_confirm:true, confirm_token:"a1b2c3d4e5",
// display_filename:"report.pdf", recipient:{ name:"Alex", allowlisted:true } }
// 2) It sends, passing the token back to prove the preview happened
wa_send_file(recipient="Alex", file_path="report.pdf", confirm_token="a1b2c3d4e5")
// → { sent:true, ... } (and one line is appended to the audit log)
// A blocked attempt is explicit and recorded:
wa_send_message(recipient="+66999999999", message="hi")
// → { sent:false, blocked_reason:"recipient is not allowlisted and allow_unlisted=false" }Configuration
See config/allowlist.example.yaml. Key knobs:
allow_unlisted (the fail-closed switch), require_confirm_for, rate_limit, files,
secrets.on_detect, and the recipients allowlist. Edits hot-reload on each call.
Roadmap
Pluggable backend — same guard layer in front of the unofficial bridge or the official WhatsApp Business Cloud API (compliant path).
Inbound routing — surface incoming messages to agents (read · classify · route).
Scheduled / templated sends through the same gate.
Per-recipient policy (rate limits / confirm rules per contact or group).
Tests
uv pip install pytest && PYTHONPATH=src python -m pytest -q # 19 passingContributing
PRs welcome — see CONTRIBUTING.md. The one rule: keep the fail-closed posture, and add a test for every new check.
License
MIT — see LICENSE. Security model & honest limitations in SECURITY.md.
Maintenance
Resources
Unclaimed servers have limited discoverability.
Looking for Admin?
If you are the server author, to access and configure the admin panel.
Latest Blog Posts
- Why MCP Servers Need Execution Sandboxing (And Why Your Current Stack Isn't Enough)By Om-Shree-0709 on .Agentic AiPrompt InjectionWebAssembly
MCP directory API
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/peter-tnc-453/guarded-whatsapp-mcp'
If you have feedback or need assistance with the MCP directory API, please join our Discord server