WHOOP Lab

Security checks across malware telemetry and agentic risk

Overview

The skill mostly matches its WHOOP health-data purpose, but its optional Obsidian logger can automatically commit and push the entire vault, not just the WHOOP note.

Review carefully before installing if your Obsidian vault is a Git repository. The WHOOP features are coherent, but running the Obsidian logger may pull, stage every vault change, commit, and push unrelated private notes. Use --dry-run first, inspect git status, and consider removing or disabling the auto Git sync. Also protect ~/.config/whoop-skill/credentials.json, authorize only scopes you are comfortable granting, and treat the health guidance as informational rather than medical advice.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection

Findings (8)

Tainted flow: 'EXPERIMENTS_FILE' from os.environ.get (line 35, credential/environment) → open (file write)

Medium

Category: Data Flow
Content: def save_experiments(experiments): EXPERIMENTS_FILE.parent.mkdir(parents=True, exist_ok=True) with open(EXPERIMENTS_FILE, "w") as f: json.dump(experiments, f, indent=2)
Confidence: 91% confidence
Finding: with open(EXPERIMENTS_FILE, "w") as f:

Description-Behavior Mismatch

Medium

Confidence: 92% confidence
Finding: The script's stated purpose is logging WHOOP stats to a daily note, but it also performs `git pull --rebase --autostash`, `add -A`, `commit`, and `push` on the entire vault. This creates a hidden side effect that can upload unrelated notes or repository contents to a remote and can merge remote content into the local vault without the user's explicit intent at runtime.

Context-Inappropriate Capability

Medium

Confidence: 94% confidence
Finding: Running broad git operations on the whole vault is not necessary to log WHOOP metrics and can expose unrelated sensitive content in an Obsidian repository. In the context of a health-data skill, this is more concerning because vaults often contain personal medical, journal, and credential-adjacent notes, so an automatic push can cause confidentiality loss beyond the intended WHOOP entry.

Intent-Code Divergence

Low

Confidence: 81% confidence
Finding: The docstring advertises only local note logging, while the implementation also syncs the vault with git remotes. This mismatch is security-relevant because it can mislead users into invoking the script without understanding that it may transmit repository contents off-device.

Vague Triggers

Medium

Confidence: 83% confidence
Finding: The manifest's broad 'Use when' language could cause the skill to activate for many generic health or journaling requests, increasing the chance of unnecessary access to sensitive health data, tokens, local files, or network actions. In a health-data skill, overbroad routing is more dangerous because the data involved is highly sensitive and the skill includes write and network capabilities.

Missing User Warnings

Medium

Confidence: 86% confidence
Finding: The documentation instructs users to enter a Client Secret and store OAuth tokens locally without a prominent warning about their sensitivity, handling expectations, or storage protections. This can lead to unsafe operator behavior, accidental disclosure, and weak local protection of long-lived refresh credentials.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The documentation explicitly instructs requesting all WHOOP scopes plus offline access, including profile and body-measurement data, which exceeds least-privilege for many use cases and enables collection of highly sensitive health and identity data. In a health-tracking skill, broad scopes and refresh tokens increase the blast radius of compromise by allowing long-lived access to recovery, sleep, workouts, profile, and body metrics without any noted consent minimization or sensitivity warning.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: This document gives concrete health, training, and quasi-diagnostic recommendations such as when to push hard, rest, or seek medical attention, but it does not clearly state that the guidance is informational only and not medical advice. In a health-analysis skill, users may reasonably rely on this guidance for decisions about exercise, illness, or possible cardiac/respiratory issues, increasing the risk of unsafe self-management or delayed professional care.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal