Whoop Guru

Security checks across malware telemetry and agentic risk

Overview

This WHOOP fitness skill is mostly purpose-aligned, but it handles sensitive health data, credentials, recurring reports, and external LLM calls with enough scoping and disclosure gaps that users should review it carefully before installing.

Install only if you are comfortable granting access to WHOOP recovery, sleep, HRV, workout, profile, and body data. Treat the local token/API-key files as sensitive, review file permissions, and delete or rotate credentials if you uninstall. Configure an LLM only if you accept that health summaries and prompts may be sent to that provider, and be cautious using the cron/push scripts because some paths and user IDs appear environment-specific.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Behavioral ASTexec() Call, eval() Call, Dynamic Import
Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection

Findings (38)

subprocess module call

Medium

Category: Dangerous Code Execution
Content: 数据列表 """ try: result = subprocess.run( ["python3", EXISTING_SCRIPT, data_type, "--days", str(days)], capture_output=True, text=True,
Confidence: 95% confidence
Finding: result = subprocess.run( ["python3", EXISTING_SCRIPT, data_type, "--days", str(days)], capture_output=True, text=True, timeo

Tainted flow: 'FEEDBACK_FILE' from os.environ.get (line 27, credential/environment) → open (file write)

Medium

Category: Data Flow
Content: def _save(data: Dict) -> None: os.makedirs(os.path.dirname(FEEDBACK_FILE), exist_ok=True) with open(FEEDBACK_FILE, 'w') as f: json.dump(data, f, indent=2, ensure_ascii=False)
Confidence: 94% confidence
Finding: with open(FEEDBACK_FILE, 'w') as f:

Tainted flow: 'OUTPUT_FILE' from os.environ.get (line 14, credential/environment) → open (file write)

Medium

Category: Data Flow
Content: } try: with open(OUTPUT_FILE, 'w') as f: json.dump(result, f, indent=2) except: pass
Confidence: 93% confidence
Finding: with open(OUTPUT_FILE, 'w') as f:

Tainted flow: 'EXISTING_SCRIPT' from os.environ.get (line 22, credential/environment) → subprocess.run (code execution)

Medium

Category: Data Flow
Content: 数据列表 """ try: result = subprocess.run( ["python3", EXISTING_SCRIPT, data_type, "--days", str(days)], capture_output=True, text=True,
Confidence: 99% confidence
Finding: result = subprocess.run( ["python3", EXISTING_SCRIPT, data_type, "--days", str(days)], capture_output=True, text=True, timeo

Intent-Code Divergence

Medium

Confidence: 96% confidence
Finding: The UI text tells users their API key is only stored locally and not uploaded, but the setup flow immediately performs a live connection test after saving the key. That test sends the key in an Authorization header to the configured third-party provider, so the disclosure statement is inaccurate and can mislead users about when their secret is transmitted.

Intent-Code Divergence

Medium

Confidence: 90% confidence
Finding: The skill presents itself as a fitness-needs questionnaire, but the analyzer also loads separate WHOOP biometric data and uses it in downstream analysis. This is a data-transparency and consent problem because users may reasonably believe only the answers they provided in the questionnaire are being processed, while additional health-related data is silently incorporated.

Intent-Code Divergence

Medium

Confidence: 95% confidence
Finding: The report-generation path is documented as analyzing user answers, but the prompt also embeds WHOOP recovery and HRV data. That mismatch can mislead users about what data is being sent to the model and undermines informed consent for processing potentially sensitive health information.

Context-Inappropriate Capability

Medium

Confidence: 91% confidence
Finding: The code hard-codes a specific user identifier ("dongyi") when accessing goals and check-in history, which creates unjustified access to one user's private data regardless of caller context. In a reusable push/scheduling module, embedding a fixed identity is a privacy and authorization flaw because messages could expose or operate on the wrong person's health and activity records.

Context-Inappropriate Capability

Medium

Confidence: 94% confidence
Finding: The morning push path packages sensitive health metrics such as recovery, HRV, RHR, sleep, training frequency, and predicted readiness into a data structure that is sent to an LLM analysis component. That exceeds simple scheduling/message formatting and introduces a data-sharing boundary for highly sensitive wellness data, potentially to an external model provider, without visible minimization or access controls in this file.

Context-Inappropriate Capability

Medium

Confidence: 94% confidence
Finding: The evening push repeats the same pattern by transmitting detailed daily health and training attributes to LLM analysis, including recovery, HRV, RHR, strain, training status, and sleep debt. This broadens the module from generating reminders into secondary profiling/analysis of sensitive personal data, raising privacy and data-governance risk.

Context-Inappropriate Capability

Medium

Confidence: 90% confidence
Finding: The helper function performs late-bound LLM analysis on arbitrary user data and silently returns results, masking failures with a broad exception handler. This design makes it easy for multiple call sites to send sensitive health data to an LLM without transparent review, logging, or policy enforcement, increasing the chance of unnoticed privacy violations.

Context-Inappropriate Capability

Medium

Confidence: 80% confidence
Finding: The retention cleanup recursively deletes JSON files under a directory that is indirectly configurable and defaults to a relative path outside the immediate skill directory. If that path is misconfigured, manipulated, or broader than intended, the cleanup can delete unrelated data, causing integrity and availability loss.

Natural-Language Policy Violations

Medium

Confidence: 78% confidence
Finding: Forcing all time handling to Beijing time without user opt-in can cause scheduled notifications, recovery summaries, and check-in logic to run at the wrong local time. In a health and coaching skill with proactive reminders, this can create privacy and safety issues by sending sensitive fitness notifications at unintended times or producing incorrect day-boundary analysis.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The README explicitly documents that OAuth tokens and credentials are automatically stored in predictable locations under the user's home directory, but it provides no warning about sensitivity, file permissions, encryption, rotation, or cleanup. While documentation alone is not code execution, exposing silent credential persistence behavior without security guidance increases the likelihood of insecure handling, token leakage, and unintentional long-term retention of secrets.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The guide tells users to store a WHOOP client secret and refresh token in a local plaintext env file, but provides no warning about their sensitivity, file permissions, encryption, or exclusion from source control. These credentials can enable long-lived API access if the host is compromised, the file is accidentally committed, or other local users can read it.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: This module generates personalized fitness, recovery, and injury-related recommendations from biometric-style data but does not include any clear warning that the output is not medical advice or that users should use caution when injured, sleep-deprived, or poorly recovered. In a health-adjacent coaching context, users may over-trust the recommendations and follow unsafe plans despite low recovery or injury risk, increasing the chance of physical harm.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The code reads sensitive health data from a path fully influenced by environment variables (`WHOOP_DATA_DIR`, indirectly `OPENCLAW_WORKSPACE`) and then processes it without validation, restriction, or any disclosure to the user. In an agent or multi-tenant runtime, an attacker who can influence the environment could redirect the skill to ingest arbitrary local files or unintended health datasets, causing privacy exposure, data confusion, or downstream misuse of sensitive information.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The morning report sends personal health and activity data to an external LLM service without any visible consent, notice, or data-minimization guardrails. Even if the purpose is benign, exporting recovery, HRV, heart rate, sleep, and goals to a third party can expose sensitive health-profile information and create compliance and privacy risks.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The evening report repeats the same pattern of transmitting health/training data to an external LLM without user-facing disclosure or consent. Because this happens in a recurring reporting workflow, it increases the likelihood of ongoing unnoticed leakage of sensitive behavioral and biometric information.

Missing User Warnings

High

Confidence: 98% confidence
Finding: The full report sends a much richer health profile to the LLM, including broader trend, prediction, body battery, heart-zone, goal, and tracker context, again with no visible privacy notice or consent. This increases re-identification and sensitive profiling risk, making the privacy/security impact materially higher than the shorter reports.

Missing User Warnings

Medium

Confidence: 77% confidence
Finding: The module persists user feedback together with WHOOP-derived health metrics to disk in clear JSON without any visible consent, retention control, or protective measures in this code path. In a health/fitness context, this is sensitive personal data; local disclosure, over-collection, or unintended retention can harm user privacy even if the file stays on the same host.

Missing User Warnings

Medium

Confidence: 87% confidence
Finding: The skill writes a health report containing potentially sensitive wellness data to disk without any explicit user notice, consent flow, or retention controls. In a health-related skill, silent persistence increases privacy risk because other local processes or users may access the generated file, especially if environment-controlled paths point to shared locations.

Missing User Warnings

Medium

Confidence: 86% confidence
Finding: The code persists raw API keys to a shared JSON config file on disk without encryption, permission hardening, or an explicit warning at the save point. If the local filesystem is accessible to other users, backup tools, logs, or malware, those credentials can be recovered and abused against the user's LLM account.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The code writes user fitness-profile answers to disk under a persistent per-user JSON file without any visible disclosure, retention policy, or consent check in this module. Persisting health/fitness-related profile data increases privacy risk if the host is compromised, backups are shared, or files are accessed by other components unexpectedly.

Missing User Warnings

High

Confidence: 98% confidence
Finding: The analysis prompt sends user survey data together with WHOOP recovery and HRV information to an LLM, but there is no visible privacy warning or consent mechanism here. Sending combined health and behavioral data to a model provider can expose sensitive personal information to third-party processing, logging, or retention outside the user's expectations.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal