ClawHub

WHOOP Tracker

Security checks across malware telemetry and agentic risk

Overview

This skill does what it claims: it connects to WHOOP to retrieve user-authorized fitness and profile data, with sensitive-data cautions but no hidden or purpose-mismatched behavior found.

Install only if you are comfortable giving the agent read access to WHOOP health, workout, sleep, body-measurement, name, and email data. Keep ~/.whoop/credentials.json and ~/.whoop/token.json private, avoid using this on shared machines, be careful with --json output in logs or transcripts, and revoke the WHOOP OAuth grant when you no longer use the skill.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill handles OAuth client credentials, tokens, and highly sensitive health data, but the documentation does not give an explicit privacy and secure-storage warning. Users may unknowingly place secrets in predictable local paths or expose health data through raw JSON output, logs, backups, or shared machines.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
This script prints highly sensitive personal and health data, including name, email, user ID, height, weight, and heart-rate information, directly to stdout with no consent check, masking, or contextual warning. In an agent/skill environment, stdout may be surfaced to users, logs, transcripts, or calling systems, creating an avoidable privacy exposure even if the data access itself is legitimate.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal