WHOOP Central
v1.0.2WHOOP Central - OAuth + scripts to fetch WHOOP data (sleep, recovery, strain, workouts). Use when user asks about their sleep, recovery score, HRV, strain, or workout data.
⭐ 1· 1.8k·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name/description (WHOOP data via OAuth) align with the included scripts. The code implements OAuth flows, token exchange/refresh, and endpoints to fetch recovery, sleep, strain, workouts and import historical data. Declared runtime binaries (node, openssl) are reasonable for the described flows.
Instruction Scope
SKILL.md instructions are specific and limited to: creating a WHOOP developer app, running the setup/auth/verify scripts, optionally using Postman, and importing/summarizing data. The scripts read/write local files (credentials and tokens) and call WHOOP API endpoints (api.prod.whoop.com / id.whoop.com). There is no instruction to read unrelated system files or send data to third-party servers beyond WHOOP. Note: the skill persists credentials/tokens to disk (~/.clawdbot/whoop/) and imports logs to ~/clawd/health/logs/whoop/ as documented.
Install Mechanism
No install spec / no remote downloads are present. This is a local Node script bundle; running it executes local JavaScript and calls out to local tools (openssl, xdg-open/open). That is proportionate to implementing a local OAuth loop and generating a self-signed localhost TLS cert.
Credentials
The skill does not require unrelated credentials. It asks the user to provide WHOOP client_id/client_secret (via interactive setup or token.json) which is expected. It also honors optional environment variables for customizing paths and redirect URI (WHOOP_DATA_DIR, WHOOP_CREDENTIALS_PATH, WHOOP_TOKEN_PATH, WHOOP_REDIRECT_URI, etc.), which are reasonable for configuration. No other service tokens or secrets are requested.
Persistence & Privilege
always:false and the skill does not modify other skills or global agent settings. It writes credential and token files into the user home (default ~/.clawdbot/whoop/) and may generate a self-signed TLS cert into that directory; it also writes imported logs to HOME/clawd/health/logs/whoop. These are expected side effects for a local OAuth/data-import tool.
Assessment
This skill appears to do what it says: it implements a local OAuth bootstrap and fetches WHOOP data, storing client credentials and tokens on your machine and writing imported logs to your home directory. Before installing/running: 1) Review the code (or run in an isolated environment) if you don't fully trust the source. 2) Register your own WHOOP developer app and use its client_id/client_secret rather than sharing credentials. 3) Be aware the scripts save credentials/tokens to disk (default: ~/.clawdbot/whoop/ token.json and credentials.json); protect that directory and back up/rotate secrets as appropriate. 4) The import script writes logs to ~/clawd/health/logs/whoop/ — confirm that location is acceptable. 5) If you plan to use the local HTTPS callback, the script will generate a self-signed cert using openssl and may require you to proceed past browser TLS warnings. 6) Minor inconsistencies: SKILL.md recommends an HTTPS localhost redirect URI but auth.js defaults to http://localhost:3000/callback unless you set WHOOP_REDIRECT_URI; ensure your registered redirect exactly matches what you use. Overall: safe/consistent for its stated purpose, but follow standard precautions for any code that stores OAuth client secrets and tokens locally.Like a lobster shell, security has layers — review code before you run it.
fitnessvk9703n91qwa08d25qpb09dzc5x803a9ahealthvk9703n91qwa08d25qpb09dzc5x803a9alatestvk9703n91qwa08d25qpb09dzc5x803a9aoauthvk9703n91qwa08d25qpb09dzc5x803a9apostmanvk9703n91qwa08d25qpb09dzc5x803a9awhoopvk9703n91qwa08d25qpb09dzc5x803a9a
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🏋️ Clawdis
Binsnode, openssl