Skillv1.0.0

ClawScan security

WHOOP Lab · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 4, 2026, 11:04 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's code, instructions, and required binaries align with its stated purpose (fetching WHOOP data, charting it, running experiments, and optionally logging to Obsidian); it stores OAuth tokens locally and may write/commit to your vault, so review those behaviors before use.
Guidance: This skill appears to be internally consistent with its WHOOP-focused purpose, but review these practical points before installing: 1) You must create a WHOOP Developer App and enter its client_id/client_secret interactively; those tokens (access + refresh) are stored at ~/.config/whoop-skill/credentials.json (file is set to 600 permissions by the script). 2) The auth flow can open a local HTTP server (localhost:8888) to capture the OAuth callback — if you run this on a remote/cloud host, prefer the manual code-paste option so nothing listens on a public port. 3) log_to_obsidian.py will write to and may commit/push your Obsidian vault if it's a git repo; verify vault_path in config and confirm you want those files committed/pushed to your remote. 4) The only network endpoints contacted are api.prod.whoop.com and the Chart.js CDN; if you require a stricter network policy, audit the scripts and run in a network-restricted environment first. 5) Source is listed as unknown — if you do not trust the bundle, inspect the scripts (they are plaintext Python) or run them in an isolated environment. 6) Test with dry-run modes (log_to_obsidian.py --dry-run) and review created files before enabling automated or agent-driven runs. If you want additional assurance, ask for a short checklist of the key files/lines to inspect and I can point to the exact places to verify (e.g., where tokens are saved, where git commands are invoked).

Review Dimensions

Purpose & Capability: okName/description match the included scripts: auth (OAuth), fetch (WHOOP API), refresh_token, charting, experiment tracking, and Obsidian logging. Required binaries (python3, git) are justified (python3 to run scripts, git used only for optional vault sync). No unrelated credentials or external services are requested.
Instruction Scope: noteSKILL.md and the scripts operate within the described scope: they instruct creating a WHOOP Developer App, running auth.py to obtain OAuth tokens, fetching WHOOP endpoints, generating Chart.js HTML (via CDN), and optionally writing to an Obsidian vault. Important behaviors to note: the auth flow can spin up a local HTTP server to capture the OAuth callback (or use manual paste), credentials are saved to ~/.config/whoop-skill/credentials.json, and log_to_obsidian.py will create/append markdown files in your vault and can run git pull/add/commit/push. All of these are consistent with the skill's purpose but are file- and network-affecting actions you should expect.
Install Mechanism: okNo opaque or remote install spec; SKILL.md asks the user to pip install -r requirements.txt (requests only). No downloads from untrusted URLs or archive extraction are present in the files provided.
Credentials: okThe skill does not require environment variables or other unrelated credentials. It optionally respects WHOOP_EXPERIMENTS_FILE (to override experiments.json). OAuth client ID/secret are collected interactively and stored locally — appropriate for this integration. The only external endpoints contacted are the WHOOP API and Chart.js CDN (cdn.jsdelivr.net).
Persistence & Privilege: noteThe skill writes persistent data to ~/.config/whoop-skill/ (credentials.json, experiments.json, config.json) and writes/updates files inside your configured Obsidian vault; it will attempt git pull/commit/push if the vault is a git repo. always:false and no global config modification — privileges are limited to the skill's own config directory and the user-specified vault, which is coherent but important to be aware of.