WHOOP CLI for Agents
v0.3.1Use whoop-cli to fetch WHOOP data, generate day briefs/health flags, and export trend data for automation workflows.
⭐ 0· 652·1 current·1 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill's stated purpose (agent-friendly whoop-cli access for briefs, health flags, and exports) matches the commands and workflows in SKILL.md. Requesting WHOOP OAuth credentials and a whoop binary is coherent with that purpose. However, the registry metadata lists no required binaries, no env vars, and no install spec while SKILL.md clearly documents both required env vars and an npm install — this inconsistency is unexpected and should be resolved before trusting the skill.
Instruction Scope
SKILL.md instructs the agent to run whoop CLI commands that read/write local files (e.g., ~/.whoop-cli/profiles/*.json, experiments.json) and to prefer read-only operations; it explicitly warns not to request secrets in chat and to let the user perform login locally. Those runtime instructions are generally scoped to the stated purpose, but they also allow or suggest commands that could surface local token files or request client secrets for login; the guidance relies on human enforcement. Given the mismatch between declared and actual requirements, it's unclear whether the agent will be constrained to the safe behaviors described.
Install Mechanism
SKILL.md provides an npm global install (package @andreasnlarsen/whoop-cli@0.3.1), which is a reasonable distribution mechanism for a Node CLI, but the registry's top-level metadata contained no install spec. The presence of install instructions only in SKILL.md (not in the registry) is an inconsistency. Installing an npm package globally requires runtime privileges and should be done from a trusted source; SKILL.md points to a GitHub repo, but the skill listing has no homepage and an unknown source, increasing risk.
Credentials
SKILL.md requires WHOOP_CLIENT_ID, WHOOP_CLIENT_SECRET, and WHOOP_REDIRECT_URI (with WHOOP_CLIENT_SECRET declared as primaryEnv) which are appropriate for OAuth-based CLI access. The registry metadata, however, declared no required env vars or primary credential — this mismatch is a red flag. Otherwise, the skill does not request additional unrelated credentials and restricts operations to local token files and read-only commands where possible.
Persistence & Privilege
The skill does not request always:true, does not claim persistent system-wide configuration changes, and is instruction-only (no code written to disk by the registry). SKILL.md mentions the CLI will store tokens under ~/.whoop-cli and offers an optional local install command, which is normal for a CLI integration and within scope for this purpose.
What to consider before installing
Do not install or enable this skill until you verify its origin. Steps to consider: 1) Confirm the npm package and GitHub repo referenced in SKILL.md (@andreasnlarsen/whoop-cli) are legitimate and match the maintainer listed in the registry. 2) Be wary that the registry metadata omits the env vars and install instructions that SKILL.md requires — ask the publisher to fix the manifest or provide a signed/verified source. 3) If you proceed, install the whoop CLI yourself (npm install -g @andreasnlarsen/whoop-cli@0.3.1) and perform OAuth login locally; never paste client secrets into chat. 4) Inspect ~/.whoop-cli profiles after login to confirm tokens are local and as expected. 5) Prefer read-only commands (summary, day-brief, health, trend, sync pull) and avoid granting the agent permissions to perform auth/login on your behalf. If the skill's origin cannot be confirmed or the manifest corrected, avoid enabling it.Like a lobster shell, security has layers — review code before you run it.
latestvk97f3b0650nxnfkh9tef3jakrd81g2ex
License
MIT-0
Free to use, modify, and redistribute. No attribution required.