Back to skill
Skillv0.1.0
ClawScan security
WHOOP (Official API) · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 13, 2026, 3:42 AM
- Verdict
- Benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code, instructions, and required secrets are coherent with a WHOOP OAuth + data-fetching integration; nothing in the package tries to access unrelated systems or install foreign binaries, though the registry metadata omits declaring the required environment variables.
- Guidance
- This skill appears to be what it says: an official WHOOP OAuth client and data fetcher. Before installing, make sure you: (1) supply WHOOP_CLIENT_ID, WHOOP_CLIENT_SECRET, and WHOOP_REDIRECT_URI via environment variables (the registry metadata currently doesn't list these, so the omission is just a bookkeeping mismatch), (2) are comfortable storing OAuth tokens and refresh tokens on the host at the default token path (~/.config/openclaw/whoop/token.json) or set WHOOP_TOKEN_PATH to a secure location, (3) protect the client secret and token file (file permissions and host security), and (4) review the bundled scripts if you want to confirm there are no changes from an official source. If you plan to schedule cron pushes, ensure the cron job's destination channel parameter is correct and that you trust the machine running scheduled jobs. If any of these points are unacceptable, do not install or run the skill until addressed.
Review Dimensions
- Purpose & Capability
- noteThe skill is clearly a WHOOP OAuth + data-fetcher/renderer: the code calls WHOOP endpoints and implements OAuth/token refresh, normalization, and rendering. However, the registry metadata declares no required environment variables while the SKILL.md and scripts require WHOOP_CLIENT_ID, WHOOP_CLIENT_SECRET, and WHOOP_REDIRECT_URI — an inconsistency in metadata (not a functional problem but worth correcting).
- Instruction Scope
- okSKILL.md stays on-topic: it instructs OAuth login, fetching, normalizing, rendering, and optionally sending messages via the platform's message tool. The scripts only access WHOOP APIs and a local token file; there are no instructions to read unrelated system files or exfiltrate data to third-party endpoints.
- Install Mechanism
- okNo install spec or external downloads are present; all code is bundled in the skill and uses only the Python standard library (urllib, json, etc.). There are no third-party package installs or remote payloads, which keeps installation risk low.
- Credentials
- noteThe environment variables requested by the scripts (WHOOP_CLIENT_ID, WHOOP_CLIENT_SECRET, WHOOP_REDIRECT_URI, optional WHOOP_TOKEN_PATH, WHOOP_TZ) are appropriate for an OAuth client. Note that the registry's required-env list is empty while SKILL.md and scripts require secrets; also the skill writes OAuth tokens (access/refresh) to a local file (~/.config/openclaw/whoop/token.json by default), so protecting that file and the client secret is necessary.
- Persistence & Privilege
- okThe skill does not request always:true and does not modify other skills or global agent settings. It persists tokens to its own config path and sets file mode 0600 when possible; this is normal for an OAuth integration. Autonomous invocation is allowed by default (platform norm) but not an extra privilege in this package.