ClawHub

WHOOP Tracker

v1.0.1

Access WHOOP fitness tracker data via API, including recovery scores, sleep metrics, workout stats, daily strain, and body measurements. Use when the user asks about their WHOOP data, fitness metrics, recovery status, sleep quality, workout performance, or wants to track health trends.

1· 1.7k·0 current·0 all-time
byGiacomo Barbieri@ijaack
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
Name and description align with included code: a Python WHOOP API client and scripts for profile, recovery, sleep, and workouts. The skill uses OAuth and stores credentials/tokens under ~/.whoop which is appropriate for this purpose. Minor inconsistencies exist between SKILL.md, references, and whoop_client.py (base URL path includes '/developer', some endpoint paths/versions differ between docs and code, and get_body_measurements endpoint path differs from the reference), but these are implementation bugs rather than evidence of misrepresentation.
Instruction Scope
SKILL.md instructs the agent/user to create ~/.whoop/credentials.json, run an OAuth flow, and execute the provided scripts — all scoped to WHOOP data. The runtime instructions and scripts read/write only the described credentials and token files and call the WHOOP API. However the SKILL.md and code have mismatches (endpoints, path conventions) and the included AUDIT.md flags missing error handling and other faults; follow-up fixes are needed to avoid runtime failures.
Install Mechanism
No remote downloads or third-party install artifacts beyond a local install.sh that runs 'pip3 install requests'. All code is packaged with the skill; install method is low risk compared with arbitrary remote downloads.
Credentials
No environment variables or unrelated cloud credentials are requested. The skill requires a WHOOP OAuth client_id/client_secret which the instructions place in ~/.whoop/credentials.json — this is proportional to the declared functionality. It does persist OAuth tokens to ~/.whoop/token.json (normal for an OAuth client).
Persistence & Privilege
The skill persists its own credentials/tokens under ~/.whoop and does not request always:true or system-wide configuration changes. It does not modify other skills or system-wide agents. Storing tokens locally is expected for this kind of client, but you should protect the credentials file (SKILL.md suggests chmod 600 which is appropriate).
Scan Findings in Context
[AUDIT_MD_PRESENT] expected: An included AUDIT.md documents multiple bugs (import path issues, missing dependency handling, OAuth flow fixes). Having an audit file is expected; its contents are useful signals that the code needs fixes before production use.
[USES_REQUESTS_LIBRARY] expected: The code imports and depends on the 'requests' library and the install script installs it. This is expected for a Python HTTP client.
[PERSIST_TOKENS_TO_HOME] expected: The client saves access/refresh tokens to ~/.whoop/token.json and sets restrictive permissions (chmod 600). Storing tokens locally is expected for an OAuth client, but users should be aware of the file location and secure it.
[HARDCODED_API_BASE_URL] expected: WHOOP_BASE_URL is hard-coded to 'https://api.prod.whoop.com/developer'. The SKILL.md lists 'https://api.prod.whoop.com' as the base — these mismatches are implementation inconsistencies rather than malicious obfuscation.
[AUDIT_CRITICAL_BUGS_LISTED] unexpected: AUDIT.md lists '12 critical bugs' that would break first-run usage (import path issues, missing dependency-handling). These are not expected as part of a polished skill and indicate the package may not work correctly without author fixes.
Assessment
This skill is coherent with its stated purpose (fetching WHOOP data) and does not request unrelated credentials, but it is not production-ready. Before installing or running: (1) review the code locally — it will create ~/.whoop/credentials.json and ~/.whoop/token.json and store your client_id/client_secret and tokens there; protect those files (chmod 600 is recommended); (2) be prepared to run 'pip3 install requests' or use the provided install.sh in a virtualenv; (3) expect runtime errors due to documented bugs in AUDIT.md (fix import paths or run scripts from the skill root, ensure endpoints and redirect_uri match your WHOOP app settings); (4) if you don't trust the source, run the scripts in an isolated VM/container or review/fix the code before using them with your live WHOOP account. If you want, I can list the specific code mismatches and exact fixes referenced in AUDIT.md to help get it working safely.

Like a lobster shell, security has layers — review code before you run it.

latestvk973fsk2v5pn2nydn982y7942h801w0p

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments