WHOOP Morning
ReviewAudited by ClawScan on May 10, 2026.
Overview
The WHOOP purpose is plausible, but the skill asks for persistent OAuth access and tells users to run credential-handling helper commands that are not included in the reviewed files.
Review before installing. Verify the missing whoop-auth and whoop-morning scripts from a trusted source, limit WHOOP OAuth scopes to what the report actually needs, protect token files, and schedule the daily output only to a private channel.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user would be asked to run unreviewed or missing code for the most sensitive parts of the workflow.
SKILL.md instructs users to run helper executables, but the provided file manifest contains only SKILL.md and lib/tokens.js. The code that exchanges OAuth credentials and generates the report is therefore not reviewable in the supplied artifacts.
/home/claw/clawd/skills/whoop-morning/bin/whoop-auth ... /home/claw/clawd/skills/whoop-morning/bin/whoop-morning
Do not run the helper commands until the package includes the referenced bin files or their trusted source is independently verified.
The skill could maintain ongoing access to sensitive WHOOP account and wellness data if the refresh token is available.
The skill requests persistent OAuth access to WHOOP health and profile data. This is related to the integration, but the profile scope and persistent refresh-token authority are broader than the stated recovery/sleep/strain summary and are not reflected in the registry credential metadata.
requiredEnv: WHOOP_CLIENT_ID ... WHOOP_CLIENT_SECRET ... WHOOP_REFRESH_TOKEN ... --scopes offline read:recovery read:sleep read:cycles read:profile
Use the minimum WHOOP scopes needed, confirm profile access is necessary, and ensure the registry metadata clearly declares the required credentials.
Local users or processes with access to that cache file may be able to read stored WHOOP tokens depending on system permissions.
The included helper persists OAuth token material in a home-directory cache. That is expected for refreshable API access, but the reviewed code does not show explicit file-permission hardening.
const CACHE_DIR = `${process.env.HOME || '/home/claw'}/.cache/whoop-morning`; ... fs.writeFileSync(TOKENS_PATH, JSON.stringify(tokens, null, 2)Store token files with restrictive permissions, such as owner-only read/write, and avoid shared accounts or directories.
Sensitive wellness information could be sent to the wrong place if the cron destination is misconfigured.
The automated output may contain WHOOP health metrics and daily suggestions sent through a Gateway/message path. This is disclosed and purpose-aligned, but the recipient/channel boundaries are not specified.
Recommended: schedule with Gateway cron (daily, morning). The cron job should run `whoop-morning` and send its output as a message.
Schedule the report only to a private destination and confirm who can see Gateway messages.