openclaWP is developer-preview software. Do not run it on production sites or with personal messaging accounts unless you have reviewed the risks in README.md.

Please report security issues privately through GitHub Security Advisories.

If GitHub advisories are unavailable, contact the maintainer through the repository before opening a public issue. Include reproduction steps, affected versions, and whether the issue requires a configured AI provider or WhatsApp Cloud API.

The highest-risk surfaces are:

• REST routes and ability permission callbacks.
• Agent tool execution and workflow input binding.
• WhatsApp webhook verification and outbound message handling.
• AI provider routing, because prompt content and tool results may be sent to configured external services.

Use local or staging environments for testing, and keep transport credentials scoped to sandbox accounts.