Back to skill

Security audit

WHOOP Central

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed WHOOP health-data integration, but users should treat its local tokens and optional health-history logs as sensitive.

Install only if you are comfortable granting read access to your WHOOP health data. Use a WHOOP developer app you control, request only needed scopes, keep ~/.clawdbot/whoop/token.json and credentials.json private, avoid bulk import unless you want a local health-history archive, and delete local logs or revoke the WHOOP app when finished.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (9)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill requires environment and network access for OAuth and API calls, but those capabilities are not explicitly declared in the skill metadata. This weakens reviewability and informed consent because operators may not realize the skill can contact external services and read local configuration while handling sensitive health data and tokens.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The declared purpose focuses on answering user questions about WHOOP metrics, but the documentation also describes bulk historical import, local persistence of health logs, profile retrieval, and credential/token management. That behavior expansion is security-relevant because it increases data collection and retention beyond what a user may reasonably expect from the summary description.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The script’s behavior materially exceeds the stated skill purpose: instead of answering user questions with on-demand WHOOP data, it performs a bulk historical import of sensitive health information and stores it locally. This creates unnecessary data accumulation and increases privacy risk because large volumes of sleep, recovery, HRV, and workout data are retained beyond the immediate user request.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The script persists sensitive WHOOP health data into a separate local health-log repository under the user’s home directory, which is a significant expansion of data handling not clearly justified by the skill’s stated function. Persisting health telemetry creates confidentiality and compliance risks, especially if the logs are later accessed by other tools, backed up, indexed, or read without the user understanding that WHOOP data is being archived.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill processes sensitive health information such as recovery, sleep stages, HRV, resting heart rate, and workouts, yet it does not present an up-front privacy warning before use. Users may authorize access without understanding the sensitivity of the data or the storage/retention implications.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The documentation advertises bulk import of WHOOP history into a local logs directory without a clear warning that personal health data will be written to disk. Persisting sensitive health records locally increases exposure through backup systems, multi-user machines, accidental sharing, or weak file permissions.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The code persists OAuth tokens, including refresh tokens, to a local JSON file without setting restrictive file permissions or using OS secret storage. If the host is multi-user, the directory is backed up/synced, or another local process can read the file, an attacker could reuse the refresh token to obtain ongoing access to the user's WHOOP data.

Credential Access

High
Category
Privilege Escalation
Content
3) Click "Get New Access Token", sign in to WHOOP, and click "Grant".

4) In Postman’s "Manage Access Tokens" modal:
- Click "Use Token" (so requests work)
- IMPORTANT: copy and save both:
  - `access_token`
Confidence
90% confidence
Finding
Access Tokens

Credential Access

High
Category
Privilege Escalation
Content
import readline from 'readline';

const DATA_DIR = process.env.WHOOP_DATA_DIR || path.join(process.env.HOME, '.clawdbot', 'whoop');
const CREDENTIALS_PATH = process.env.WHOOP_CREDENTIALS_PATH || path.join(DATA_DIR, 'credentials.json');
const TOKEN_PATH = process.env.WHOOP_TOKEN_PATH || path.join(DATA_DIR, 'token.json');

function ensureDir() {
Confidence
77% confidence
Finding
credentials.json

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.dangerous_exec, suspicious.env_credential_access, suspicious.potential_exfiltration

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
src/auth.js:59

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
src/auth.js:19

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
src/import-historical.js:14

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
src/verify.js:12

Sensitive-looking file read is paired with a network send.

Warn
Code
suspicious.potential_exfiltration
Location
src/auth.js:215

Sensitive-looking file read is paired with a network send.

Warn
Code
suspicious.potential_exfiltration
Location
src/verify.js:36