Whoop Connect

This skill appears coherent with its stated purpose, but consider these before installing: - Secrets: WHOOP_CLIENT_SECRET is required. Avoid embedding it into world-readable files. The example systemd unit shows the secret in Environment lines — that can make the secret visible to other local users and in some system tools. Prefer a protected environment file (root-owned, 0600) or a secrets manager, and ensure unit files have restricted permissions. - Local storage: The skill stores tokens and data under ~/.whoop (whoop.db and config.json). Back up or delete these files if you later revoke access. The code includes safeguards (e.g., not to print secrets) but review logs and your systemd service configuration to avoid verbose secret logging. - Network exposure: Enabling webhooks requires hosting a public HTTPS endpoint and configuring WHOOP to call it — that increases your network exposure. Only enable webhooks if you understand and control the hosting domain/reverse proxy and TLS setup. - Auto-sync frequency and rate limits: Default polling is every 5 minutes (or 20 minutes when webhook healthy) with an estimated per-day API-call heuristic and a default daily_api_limit of 10,000. If you run frequent polling or multiple instances, you may hit WHOOP rate limits; adjust sync_interval/daily_api_limit accordingly. - Review code if concerned: The repository is self-contained and uses common libraries. If you want higher assurance, inspect whoop_client.py (token handling, refresh behavior), webhook_server.py (what it logs/returns), and install.sh. The install uses a local venv and pip; no remote arbitrary code downloads are used beyond PyPI packages. If you accept these operational considerations and secure the client secret appropriately, the skill's requests and behavior are proportionate to its functionality.