WHOOP MCP
PassAudited by ClawScan on May 6, 2026.
Overview
This WHOOP connector is coherent and privacy-aware, but it uses OAuth to access sensitive health data and delegates setup to an external npm package.
Before installing, confirm you trust the whoop-mcp-unofficial npm package and the linked project, run setup/auth intentionally, review OAuth permissions, keep ~/.whoop-mcp/ token files private, and prefer summarized WHOOP results unless you explicitly need raw provider data.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing and authorizing this connector can let an MCP agent retrieve sensitive WHOOP wellness data through the user's account.
The connector requires OAuth-backed access to a user's WHOOP account, which is expected for the stated purpose but grants access to sensitive account data.
WHOOP OAuth tokens stay under ~/.whoop-mcp/ by default.
Only authorize it if you trust the WHOOP MCP package, review requested OAuth scopes during auth, and do not share or print token files.
Raw WHOOP payloads could expose detailed private health and activity information in chat output, logs, or agent context if requested.
The skill acknowledges that raw WHOOP provider data may enter the agent's context; summarization is an appropriate privacy boundary, while raw payloads should remain opt-in.
Use summaries unless the user explicitly asks for raw provider payloads.
Prefer summaries, request raw provider data only when necessary, and avoid storing or pasting raw health payloads into shared contexts.
The behavior ultimately depends on the npm package fetched at install/run time, not just the instruction-only skill text reviewed here.
Setup depends on running an external npm package through npx. This is central to the MCP connector workflow, but the package code is not present in the reviewed artifact and no pinned version is specified.
`npx -y whoop-mcp-unofficial setup`
Verify the package and repository before running setup, and pin a known version if your MCP client or environment supports it.
The agent may add a promotional request to star the repository after helping with the connector.
The skill includes a disclosed promotional instruction. It is mild and conditional, but it can influence the agent's response beyond the technical setup task.
mention that it is maintained by Delx and ask the user to star the GitHub repo after delivering practical value.
Treat this as optional marketing text and ignore or remove it if you want strictly task-focused responses.