ClawHub

WHOOP Morning

Check WHOOP recovery/sleep/strain each morning and send suggestions.

MIT-0 · Free to use, modify, and redistribute. No attribution required.
1 · 1.7k · 0 current installs · 0 all-time installs
by@Borahm
MIT-0
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill's stated goal (fetch WHOOP recovery/sleep/strain and produce suggestions) matches the OAuth env vars and token cache behavior described in SKILL.md and implemented in lib/tokens.js. However, SKILL.md expects helper binaries (whoop-auth and whoop-morning) to exist at /home/claw/... but the package manifest only contains SKILL.md and lib/tokens.js — the referenced binaries are not present. Also the registry metadata listed no required env vars while SKILL.md declares three WHOOP env vars (discrepancy).
Instruction Scope
Instructions are narrowly scoped to performing OAuth, storing credentials in ~/.clawdbot/.env, and running the two binaries. They do not ask to read unrelated system files or transmit data to third-party endpoints beyond WHOOP's API. Concern: the instructions hard-code platform-specific paths (/home/claw/...) and reference binaries that are not included, which could lead users to run unknown binaries elsewhere if provided separately.
Install Mechanism
There is no install spec (instruction-only), which is low-risk in isolation. But SKILL.md refers to bundled binaries under a skill path; those binaries are missing from the file manifest. That mismatch is suspicious because it forces the user to obtain or run binaries from another source (or assumes an environment layout), increasing risk.
Credentials
The only secrets requested in SKILL.md are WHOOP_CLIENT_ID, WHOOP_CLIENT_SECRET, and WHOOP_REFRESH_TOKEN — all appropriate for a WHOOP OAuth integration. The code reads HOME and stores tokens under ~/.cache/whoop-morning and SKILL.md directs storing client secrets in ~/.clawdbot/.env — these uses are proportionate. Note the registry metadata's omission of required env vars is inconsistent with SKILL.md.
Persistence & Privilege
The skill does persist tokens locally (writes tokens.json in ~/.cache/whoop-morning and updates ~/.clawdbot/.env), which is expected for an OAuth flow. It does not request always:true and does not attempt to modify other skills' configs. Ensure file permissions and local token handling are appropriate.
What to consider before installing
This skill mostly does what it says (WHOOP OAuth and daily suggestions), but there are mismatches you should resolve before installing: 1) SKILL.md expects two executable scripts (whoop-auth and whoop-morning) at /home/claw/… but those binaries are not present in the package — confirm their origin and inspect them before running. 2) The registry metadata does not list the required env vars even though SKILL.md does — verify which variables the runtime actually needs. 3) The skill will store your WHOOP_CLIENT_ID/SECRET and tokens in ~/.clawdbot/.env and ~/.cache/whoop-morning/tokens.json; treat these as sensitive, check file permissions, and consider using a dedicated WHOOP account or rotating credentials after testing. Recommended actions: obtain and review the whoop-auth/whoop-morning binaries (or request the author publish the full package), verify no unexpected network endpoints are contacted by those binaries, and only then provide your WHOOP credentials.

Like a lobster shell, security has layers — review code before you run it.

Current versionv0.1.1
Download zip
Plugin bundle (nix)
Skill pack · CLI binary · Config
SKILL.mdCLIConfig
Config requirements
Required envWHOOP_CLIENT_ID, WHOOP_CLIENT_SECRET, WHOOP_REFRESH_TOKEN
latestvk970a52jcdbk7fww2m1g2zq6zs7zrrcx

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

whoop-morning

Morning WHOOP check-in:

  • fetches your latest WHOOP data (Recovery, Sleep, Cycle/Strain)
  • generates a short set of suggestions for the day

Setup

1) Create WHOOP OAuth credentials

You already have:

  • WHOOP_CLIENT_ID
  • WHOOP_CLIENT_SECRET

Store these in ~/.clawdbot/.env.

2) Authorize once (get refresh token)

Run:

/home/claw/clawd/skills/whoop-morning/bin/whoop-auth --scopes offline read:recovery read:sleep read:cycles read:profile

This prints an authorization URL. Open it in your browser, approve, and paste the code back into the terminal.

The script will exchange it for tokens and write WHOOP_REFRESH_TOKEN=... to ~/.clawdbot/.env.

3) Run the morning report

/home/claw/clawd/skills/whoop-morning/bin/whoop-morning

Automation

Recommended: schedule with Gateway cron (daily, morning). The cron job should run whoop-morning and send its output as a message.

Notes

  • This skill uses WHOOP OAuth2:
    • auth URL: https://api.prod.whoop.com/oauth/oauth2/auth
    • token URL: https://api.prod.whoop.com/oauth/oauth2/token
  • WHOOP rotates refresh tokens; avoid running multiple refreshes in parallel.
  • API availability/fields can change; if WHOOP returns 401/400 during token refresh, re-run whoop-auth.

Files

2 total
Select a file
Select a file to preview.

Comments

Loading comments…