WHOOP (Official API)
v0.1.0Connect to the WHOOP Developer Platform via official OAuth (authorization code flow), store and refresh tokens, and fetch WHOOP v2 data (recovery, sleep, cyc...
⭐ 0· 155·0 current·0 all-time
byGavin C.@gavinchengcool
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
The skill is clearly a WHOOP OAuth + data-fetcher/renderer: the code calls WHOOP endpoints and implements OAuth/token refresh, normalization, and rendering. However, the registry metadata declares no required environment variables while the SKILL.md and scripts require WHOOP_CLIENT_ID, WHOOP_CLIENT_SECRET, and WHOOP_REDIRECT_URI — an inconsistency in metadata (not a functional problem but worth correcting).
Instruction Scope
SKILL.md stays on-topic: it instructs OAuth login, fetching, normalizing, rendering, and optionally sending messages via the platform's message tool. The scripts only access WHOOP APIs and a local token file; there are no instructions to read unrelated system files or exfiltrate data to third-party endpoints.
Install Mechanism
No install spec or external downloads are present; all code is bundled in the skill and uses only the Python standard library (urllib, json, etc.). There are no third-party package installs or remote payloads, which keeps installation risk low.
Credentials
The environment variables requested by the scripts (WHOOP_CLIENT_ID, WHOOP_CLIENT_SECRET, WHOOP_REDIRECT_URI, optional WHOOP_TOKEN_PATH, WHOOP_TZ) are appropriate for an OAuth client. Note that the registry's required-env list is empty while SKILL.md and scripts require secrets; also the skill writes OAuth tokens (access/refresh) to a local file (~/.config/openclaw/whoop/token.json by default), so protecting that file and the client secret is necessary.
Persistence & Privilege
The skill does not request always:true and does not modify other skills or global agent settings. It persists tokens to its own config path and sets file mode 0600 when possible; this is normal for an OAuth integration. Autonomous invocation is allowed by default (platform norm) but not an extra privilege in this package.
Assessment
This skill appears to be what it says: an official WHOOP OAuth client and data fetcher. Before installing, make sure you: (1) supply WHOOP_CLIENT_ID, WHOOP_CLIENT_SECRET, and WHOOP_REDIRECT_URI via environment variables (the registry metadata currently doesn't list these, so the omission is just a bookkeeping mismatch), (2) are comfortable storing OAuth tokens and refresh tokens on the host at the default token path (~/.config/openclaw/whoop/token.json) or set WHOOP_TOKEN_PATH to a secure location, (3) protect the client secret and token file (file permissions and host security), and (4) review the bundled scripts if you want to confirm there are no changes from an official source. If you plan to schedule cron pushes, ensure the cron job's destination channel parameter is correct and that you trust the machine running scheduled jobs. If any of these points are unacceptable, do not install or run the skill until addressed.Like a lobster shell, security has layers — review code before you run it.
latestvk97ddypak0qparcj2fw28hsv2x82vspw
License
MIT-0
Free to use, modify, and redistribute. No attribution required.