ClawHub

Whoop Connect

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real WHOOP integration, but it needs Review because it handles sensitive health/OAuth data and includes optional persistent sync plus an unauthenticated public webhook server.

Install only if you are comfortable granting ongoing read access to WHOOP health/profile/body data and storing it under ~/.whoop on this machine. Keep WHOOP_CLIENT_SECRET and token files private, avoid enabling webhook mode unless you can secure and monitor the public endpoint, and treat auto-sync/systemd/cron as persistent background access that should be stopped when no longer needed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (12)

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill exercises sensitive capabilities including shell execution, network access, environment-variable access, and file writes, but does not declare permissions or present them transparently. This is dangerous because users and the host platform cannot accurately assess or constrain what the skill can do, especially given it handles OAuth credentials and writes health data locally.

Tp4

High
Category
MCP Tool Poisoning
Confidence
89% confidence
Finding
The declared description understates the actual data collection and runtime behavior: the skill also accesses profile and body data, runs OAuth setup, stores additional historical metrics, and can operate a local webhook/background sync service. This is dangerous because users may authorize a narrower health-data use case without realizing broader personal data collection, persistent background operation, and local server exposure are involved.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The guide materially expands the skill from a local-only data sync into instructions for exposing a public HTTPS webhook endpoint and running a long-lived server. That increases the attack surface beyond the stated core function and could lead users to deploy an internet-reachable service without guidance on authentication, request verification, rate limiting, logging hygiene, or hardening.

Intent-Code Divergence

Medium
Confidence
92% confidence
Finding
The documentation says data is stored locally and 'nothing is uploaded anywhere,' but later instructs users to expose a public webhook URL and register it with WHOOP. This is a misleading security/privacy claim that can cause users to underestimate the external network exposure and third-party data flow involved in the optional configuration.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The profile formatter returns email address and WHOOP user ID directly in output, which are sensitive identifiers not required for the skill's stated purpose of presenting recovery, sleep, HRV, strain, and workout metrics. Exposing this PII increases privacy risk, enables unnecessary data disclosure to downstream logs/UI, and broadens the blast radius if outputs are stored, shared, or inspected by other components.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The OAuth flow generates a random state value but never validates the returned state in the callback before exchanging the authorization code. This weakens CSRF protection on the localhost callback and can let a local or browser-based attacker inject an authorization code for a different WHOOP account, causing account confusion or unauthorized linking.

Missing User Warnings

Low
Confidence
78% confidence
Finding
The skill supports continuous polling and optional webhook handling, but the user-facing description does not prominently warn that it may run persistently and regularly communicate with WHOOP services. This is risky because background health-data syncing affects user privacy, network exposure, and resource usage, and users may not expect an always-on component from the short description alone.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The reference explicitly documents use of offline refresh tokens and access to profile/body endpoints containing identity and sensitive health data, but provides no warning about secure handling, minimization, consent, or storage protections. In a health-data integration skill, this omission can lead implementers to persist long-lived credentials and regulated-style personal data insecurely, increasing risk of account compromise and privacy exposure.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The code persistently stores sensitive health and profile data, including recovery, sleep, heart rate, email, and body measurements, in a local SQLite database under the user's home directory without any apparent consent flow, disclosure, retention controls, or protection at rest. In the context of a WHOOP integration, this data is highly sensitive; compromise of the local account, backups, or filesystem can expose intimate health information even though there is no direct remote code execution path here.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
Displaying personal identifiers without any warning, minimization, or disclosure control is a real privacy weakness, especially in an agent skill where formatter output may be surfaced conversationally or persisted in transcripts. In this context, users asking about health metrics would not reasonably expect their email and internal user ID to be echoed back, making the exposure more dangerous rather than justified by functionality.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The webhook endpoint accepts unauthenticated POST requests, then uses the supplied event metadata to fetch and print detailed WHOOP health data. In this skill context, that means recovery, sleep, HRV, strain, and workout information could be triggered for disclosure or local propagation without verifying that the request actually originated from WHOOP, making sensitive health data exposure more dangerous than in a non-health domain.

External Transmission

Medium
Category
Data Exfiltration
Content
OAuth 2.0 Authorization Code flow.

- Auth URL: `https://api.prod.whoop.com/oauth/oauth2/auth`
- Token URL: `https://api.prod.whoop.com/oauth/oauth2/token`
- Scopes: `offline`, `read:profile`, `read:body_measurement`, `read:cycles`, `read:recovery`, `read:sleep`, `read:workout`

WHOOP rotates refresh tokens on each use. Always store the new refresh token from every token response.
Confidence
76% confidence
Finding
https://api.prod.whoop.com/

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal