WHOOP Health Data Sync

Security checks across malware telemetry and agentic risk

Overview

The skill’s health-sync purpose is mostly coherent, but it ships a populated WHOOP OAuth token file and has weak handling around long-lived health-data access.

Review carefully before installing. Delete the bundled data/tokens.json, revoke or rotate any exposed WHOOP tokens, authorize only with your own WHOOP app credentials, and install only if you are comfortable storing sensitive health data in the OpenClaw workspace and optionally running daily background sync.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Rogue AgentSelf-Modification, Session Persistence
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration

Findings (10)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 92% confidence
Finding: The skill clearly instructs use of environment variables, local file reads/writes, network access to WHOOP and OAuth endpoints, and shell execution via Python and cron, yet it declares no permissions. That mismatch prevents informed consent and weakens runtime governance, especially because the skill handles OAuth credentials and sensitive health data.

Context-Inappropriate Capability

Medium

Confidence: 77% confidence
Finding: Using a local 1Password service-account token and querying a general-purpose vault introduces access to broader secrets than are strictly required for WHOOP sync. In a skill context, this increases blast radius if the script or surrounding environment is compromised, because a WHOOP utility should not implicitly depend on a high-privilege secret broker without strict scoping.

Intent-Code Divergence

Medium

Confidence: 98% confidence
Finding: The remote callback path explicitly proceeds even when the returned OAuth state does not match the saved state, defeating CSRF protection in the authorization flow. An attacker who can induce or intercept an authorization response could bind the wrong authorization code to the session and cause token confusion or unauthorized account linkage.

Missing User Warnings

Low

Confidence: 89% confidence
Finding: The README instructs users to export WHOOP client credentials but does not warn that these are sensitive secrets that should not be committed to shell history, shared screenshots, dotfiles, or logs. In this skill context, the risk is real but limited because the README itself does not exfiltrate secrets; the main danger is accidental disclosure leading to unauthorized API access to the user's WHOOP data.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The README directs users to sync and store WHOOP health data as local markdown files without a clear privacy notice about the sensitivity of recovery, sleep, HRV, workout, and related biometric data. This is more concerning in context because the skill is specifically designed to make personal health data broadly available to an AI agent and local automation, increasing the chance of unintended access, retention, backup leakage, or sharing.

Missing User Warnings

Medium

Confidence: 86% confidence
Finding: The README instructs users to export WHOOP client credentials and obtain long-lived refreshable tokens, but it does not warn that these secrets grant ongoing access to highly sensitive health data or explain how to store them safely. In this skill's context, the risk is elevated because synced outputs contain recovery, sleep, HRV, and other personal health metrics that may be exposed through shell history, shared environments, logs, backups, or permissive markdown file storage.

Vague Triggers

Medium

Confidence: 83% confidence
Finding: The trigger phrases are broad health terms such as HRV, sleep, strain, and health sync, which can match ordinary conversation and cause the skill to activate unexpectedly. In this skill's context, unintended activation is more dangerous because it can initiate workflows involving sensitive health data, credentials, local storage, and network calls.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill syncs highly sensitive biometric and health information to markdown files in a local workspace but does not prominently warn users about privacy, retention, or who may access those files. Because the data includes recovery, sleep, HRV, respiratory metrics, and workout details, silent local storage creates a meaningful confidentiality risk.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The script writes highly sensitive health information—recovery, sleep, HRV, resting heart rate, respiratory rate, workouts, and weekly summaries—to markdown files in a workspace directory without any consent prompt, warning, retention policy, or access-control checks. In an agent environment, these files may become available to other tools, agents, backups, or users, increasing the risk of privacy leakage and secondary use of medical-adjacent data.

Session Persistence

Medium

Category: Rogue Agent
Content: ## Setup ### 1. Create WHOOP Developer App 1. Go to https://developer-dashboard.whoop.com/ 2. Create Application → Redirect URI: `http://localhost:9527/callback` → select all `read:*` + `offline` scopes
Confidence: 78% confidence
Finding: Create WHOOP Developer App 1. Go to https://developer-dashboard.whoop.com/ 2. Create Application → Redirect URI: `http://localhost:9527/callback` → select all `read:*` + `offline` scopes 3. Note Clie

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal