WHOOP CLI for Agents
PassAudited by ClawScan on May 1, 2026.
Overview
The skill is coherent and purpose-aligned for accessing WHOOP data, but users should notice that it relies on an external CLI, local WHOOP credentials, and local storage of health-related state.
Before installing, verify the external whoop-cli npm package, set up WHOOP authentication locally rather than sharing secrets in chat, and remember that WHOOP health data plus experiment notes may be stored on your machine and reused by future CLI runs.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing and using the skill may allow the agent, through the CLI, to access WHOOP account data after authentication.
The skill uses WHOOP application credentials to authenticate to a user account. This is expected for the stated WHOOP integration, and the skill also warns not to paste secrets into chat.
env:
- WHOOP_CLIENT_ID
- WHOOP_CLIENT_SECRET
- WHOOP_REDIRECT_URI
primaryEnv: WHOOP_CLIENT_SECRETUse only trusted WHOOP app credentials, avoid pasting secrets into chat, and review which profile/account the CLI is using before granting access.
The external CLI will run locally and handle WHOOP authentication and data retrieval.
The skill depends on a pinned external npm package that is not included in the artifact set. This is central to the skill's purpose and is disclosed, but users should trust the package source before installing.
npm install -g @andreasnlarsen/whoop-cli@0.3.1
Verify the npm package and linked project before installing, and prefer installing from the documented pinned version.
If run, the command could replace or update the installed skill configuration.
The optional bootstrap command can force-install an OpenClaw skill bundle, which may overwrite existing skill state. It is presented as an optional setup command rather than hidden automatic behavior.
whoop openclaw install-skill --force
Run force-install commands only when you intend to update or replace the skill, and review the package source first.
Private experiment notes and health-related context may persist locally and influence later WHOOP analyses.
The skill stores experiment context persistently in a local file. This is relevant to its experiment workflow and is disclosed, but the file may contain sensitive health, behavior, or coaching context reused in future reports.
Canonical state: `~/.whoop-cli/experiments.json` only.
Keep the experiment file accurate, avoid storing unnecessary sensitive details, and delete or archive it when no longer needed.