ClawHub

Whoop Guru

v8.4.12

WHOOP AI Fitness Coach - WHOOP手环数据获取、健康分析、恢复预测、AI教练、个性化训练计划

0· 235·1 current·1 all-time
by@effeceee
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
Requires OAuth token
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description match what is implemented: many scripts and Python modules fetch WHOOP data, process it, generate reports/charts, and call an LLM-based coach. Required binaries/packages and OAuth token storage locations are consistent with the described functionality.
Instruction Scope
SKILL.md instructs running local scripts, an OAuth login flow, and storing tokens at ~/.clawdbot/whoop-tokens.json and data/config/llm_config.json. The runtime instructions do not request unrelated system files or unrelated credentials, but they do send user WHOOP health data to whichever LLM endpoint the user configures—this is expected for an LLM coach but important to note because it transmits sensitive health data to an external service selected by the user.
Install Mechanism
No install spec; code is provided as files and is instruction-driven. There are no remote download/install steps in the manifest, so nothing in the registry would write arbitrary external code during install.
Credentials
No surprising environment variables or unrelated credentials are required. WHOOP OAuth credentials (via CLI args or optional ~/.clawdbot/whoop-credentials.env) and an optional LLM API key are proportional to the skill's purpose. The skill persists OAuth tokens and LLM keys locally, which is expected but contains sensitive data that should be protected.
Persistence & Privilege
always is false and the skill does not request forced/always-on inclusion. It stores tokens/config under user paths (~/.clawdbot and data/config) and schedules are left to the user (crontab examples). It does not request or modify other skills' configs.
Assessment
This skill appears to be what it says: a WHOOP data integrator + LLM coach. Before installing or running it: 1) Review scripts (scripts/*.py, *.sh) yourself—they run subprocesses and read/write local files. 2) Be aware that your WHOOP health data and any tokens will be stored on disk (~/.clawdbot/whoop-tokens.json and data/config/llm_config.json) and will be sent to whatever LLM endpoint you configure; only use trusted LLM services if you are comfortable sharing health data. 3) Use dedicated user account or sandbox if you want isolation; inspect and control any crontab entries before adding them. 4) Remove or revoke WHOOP tokens and delete local config files if you uninstall the skill. 5) If you need a deeper review, ask for the specific files that interact with network endpoints (lib/ whoop-fetcher, lib/llm.py, scripts/whoop_auth.py, scripts/whoop_data.py) so they can be audited for unexpected external endpoints or hardcoded hosts.

Like a lobster shell, security has layers — review code before you run it.

latestvk97fdsttdqt1gx9vvawzcrfzfd848g2p

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments