> It doesn’t use the public WhatsApp API, it reimplements the official WhatsApp client auth.

Nothing wrong with that if the official API has less features.

> Authentication uses a shared secret and it’s obvious that you as a third party obtaining this secret from your users

What do you mean? Usually, you install such a package to automate WhatsApp for your own account.