v0.5.0

Whoop Connect

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 7:42 AM.

Analysis

This skill is coherent for WHOOP data access and shows no artifact-backed malicious behavior, but it handles sensitive health data, OAuth credentials, local storage, and optional background/webhook syncing.

GuidanceThis appears safe for its stated purpose if you want OpenClaw to access WHOOP data. Before installing, be comfortable granting read access to WHOOP health/profile data, storing that data locally under ~/.whoop, and only enable auto-sync or webhooks if you want continuous background syncing.

Findings (5)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Rogue Agents

SeverityLowConfidenceHighStatusNote

SKILL.md

Start auto-sync daemon: `python3 {baseDir}/scripts/auto_sync.py` ... polls WHOOP API every `sync_interval` minutes (default 5)

The skill documents a long-running auto-sync mode that can continue polling WHOOP if the user starts it.

User impactIf enabled, the skill can keep syncing health data in the background and use API calls until stopped or limited.

RecommendationStart auto-sync only when you want continuous syncing, monitor the process or service you create, and adjust sync intervals and API limits as needed.

Agentic Supply Chain Vulnerabilities

SeverityLowConfidenceHighStatusNote

scripts/install.sh

"${VENV_DIR}/bin/pip" install --quiet --upgrade requests flask

The installer fetches unpinned Python packages from the package ecosystem, which is common for this kind of skill but leaves exact dependency versions unspecified.

User impactFuture installs may receive newer dependency versions than the author originally tested.

RecommendationInstall from a trusted environment, consider pinning dependency versions if you need reproducible builds, and keep the virtual environment under the skill directory.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse

SeverityMediumConfidenceHighStatusNote

references/api-reference.md

Scopes: `offline`, `read:profile`, `read:body_measurement`, `read:cycles`, `read:recovery`, `read:sleep`, `read:workout`

The skill requires OAuth delegated access to the user's WHOOP account, including offline token refresh and multiple read scopes for health and profile data.

User impactThe skill can read sensitive WHOOP account and health data after authorization.

RecommendationUse a personal WHOOP developer app, grant only the documented read scopes, keep the client secret and tokens private, and revoke access from WHOOP if you stop using the skill.

Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Memory and Context Poisoning

SeverityMediumConfidenceHighStatusNote

scripts/db.py

DB_DIR = os.path.expanduser("~/.whoop") ... CREATE TABLE IF NOT EXISTS recovery ... sleep ... workout ... profile ... body_measurement

The skill persists health, workout, profile, and body measurement data in a local SQLite database for later reuse by the agent.

User impactYour WHOOP history, including health metrics and profile/body information, may remain stored on the local machine.

RecommendationInstall only on a trusted device, protect your home directory, and remove ~/.whoop if you no longer want the local history retained.

Insecure Inter-Agent Communication

SeverityLowConfidenceMediumStatusNote

references/setup-guide.md

Webhooks let WHOOP push data to you in real-time ... requires a server with a public IP ... proxies `/whoop/webhook` to `localhost:9876`

The optional webhook setup exposes a public HTTPS endpoint that receives external WHOOP event notifications.

User impactIf you enable webhooks, your system will accept external event traffic for this integration.

RecommendationEnable webhooks only if you understand the networking setup, use HTTPS, restrict and monitor the service where possible, and keep webhook mode disabled if polling is sufficient.