WHOOP
ReviewAudited by ClawScan on May 10, 2026.
Overview
This looks like a plausible WHOOP check-in skill, but it asks for long-lived WHOOP credentials and daily execution of missing scripts that are not included for review.
Review carefully before installing. Do not provide WHOOP credentials or enable daily scheduling until the missing bin scripts are included and inspected. If you proceed, use a private chat, limit OAuth scopes where possible, and be ready to revoke the WHOOP app or remove the cron job.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The skill may fail, or a user/agent may end up running code that was not included in the reviewed package.
SKILL.md instructs execution of bin scripts that are not present in the provided file manifest, so the code that would handle OAuth authorization and WHOOP data retrieval is unavailable for review.
node /home/claw/clawd/skills/whoop/bin/whoop-auth ... node /home/claw/clawd/skills/whoop/bin/whoop-morning
Do not authorize or schedule the skill until the referenced bin scripts are included and reviewed.
A refresh token can keep granting access to WHOOP data after the initial login, and users may not see this credential requirement in registry metadata.
The skill requires long-lived WHOOP account access for health data, but registry metadata lists no required env vars or primary credential, and the credential-consuming scripts are missing.
WHOOP_CLIENT_SECRET ... WHOOP_REFRESH_TOKEN ... Requires `offline` scope to receive refresh tokens.
Treat this as a sensitive health-account integration: verify the requested WHOOP scopes, store secrets securely, and revoke the OAuth app if you stop using the skill.
Recovery, sleep, and strain details may appear in chat logs or scheduled messages.
The skill intentionally moves personal health/fitness data from WHOOP into bot output or messages.
fetches your latest WHOOP data (Recovery, Sleep, Cycle/Strain) ... Bot should send the output as a message.
Use only in a private workspace or conversation, and confirm where scheduled messages will be delivered.
The skill could keep running every morning and sending health summaries until the schedule is removed.
The skill explicitly recommends persistent scheduled execution, which is expected for a daily morning check-in but should be user-controlled.
Recommended: schedule with Gateway cron (daily morning).
Only enable the cron job if you want recurring messages, and know how to disable it.