Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
HerCycle
v1.0.0Women's cycle intelligence companion. Reads Whoop biometric data (HRV, recovery, sleep, skin temperature) and menstrual cycle phase to understand which hormo...
⭐ 0· 301·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill claims to read Whoop biometrics via a local WhoopClaw backend and optionally trigger Spotify/calendar actions. Those capabilities legitimately require Whoop API credentials, a WhoopClaw base URL, and likely Spotify/calendar credentials — but the published metadata lists no required env vars/credentials. The declared purpose (Whoop-based cycle intelligence) aligns with the described endpoints, but the registry underreports needed capabilities and integrations (Spotify, calendar, possibly Telegram) which is incoherent.
Instruction Scope
SKILL.md instructs the agent to call local WhoopClaw endpoints (e.g., /whoop/recovery, /whoop/metrics/skin-temp, /cycle/current-phase) and to 'pull live data' before making recommendations. It also references reading a WhoopClaw DB table (`cycle_tracking`) and optional external modules (Spotify engine, calendar) — these broaden scope beyond a read-only recommendation interface. There are small inconsistencies in endpoint names across files (e.g., /cycle/current vs /cycle/current-phase) and unspecified use of identifiers (telegram_id) and triggers, leaving the agent broad latitude to access local network endpoints and external services.
Install Mechanism
No install spec and no code files: the skill is instruction-only, so it does not install packages or write files. This is lower risk from an installation standpoint, but increases reliance on runtime calls to local/external services described in the docs.
Credentials
The SKILL.md explicitly lists WHOOP_CLIENT_ID, WHOOP_CLIENT_SECRET and WHOOPLAW_BASE_URL as setup requirements (and implies Spotify/calendar credentials and identifiers like telegram_id), but the registry metadata declares no required env vars or primary credential. Underdeclaring required credentials is a red flag: it obfuscates which sensitive tokens the agent will need to access and transmit to local/external endpoints.
Persistence & Privilege
always:false (not force-included) and model invocation is allowed (default). Autonomous invocation is normal for skills; combined with the above concerns (local endpoint access, omitted creds), this increases potential exposure, but there is no indication the skill requests permanent system-level privileges or modifies other skills.
What to consider before installing
Do not install blindly. The SKILL.md requires a running WhoopClaw instance and Whoop API credentials (WHOOP_CLIENT_ID/SECRET) and implies additional integrations (Spotify, calendar, Telegram IDs) that are not declared in the registry metadata. Before installing: 1) confirm the skill's source and review WhoopClaw code you will point it at (running a third‑party backend on localhost can expose local services); 2) ensure any API keys you provide are minimal-scope and easily revocable; 3) verify which external tokens (Spotify, calendar) the skill will request and refuse to provide tokens you don't trust; 4) ask the publisher to correct metadata to list required env vars and to clarify endpoints and exact data flows; and 5) if you want to test, run WhoopClaw in an isolated/sandboxed environment and monitor network calls to confirm behavior. If the publisher cannot explain the missing credential declarations and endpoint inconsistencies, treat the skill as untrusted.Like a lobster shell, security has layers — review code before you run it.
biometricvk975ngf8rsj7y0t5w2ay70kk0h8257z8cyclevk975ngf8rsj7y0t5w2ay70kk0h8257z8healthvk975ngf8rsj7y0t5w2ay70kk0h8257z8hormonalvk975ngf8rsj7y0t5w2ay70kk0h8257z8latestvk975ngf8rsj7y0t5w2ay70kk0h8257z8whoopvk975ngf8rsj7y0t5w2ay70kk0h8257z8womenvk975ngf8rsj7y0t5w2ay70kk0h8257z8
License
MIT-0
Free to use, modify, and redistribute. No attribution required.