ClawHub
Back to skill
v1.0.1

WHOOP Tracker

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 4:54 AM.

Analysis

The skill is a coherent WHOOP read-only data integration, but it requires OAuth access to sensitive fitness/profile data and stores tokens locally.

GuidanceThis skill appears benign and purpose-aligned for reading WHOOP data. Before installing, understand that OAuth authorization can expose sensitive health, workout, sleep, body measurement, and profile information to the agent, and that credentials/tokens are stored locally under `~/.whoop`.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Agentic Supply Chain Vulnerabilities
SeverityLowConfidenceHighStatusNote
scripts/install.sh
pip3 install requests

The user-directed install script installs the external Python `requests` package without a pinned version. This is normal for a simple API client, but it still depends on the package index and current package resolution.

User impactRunning the install script will fetch code from the Python package ecosystem before using the skill.
RecommendationUse a virtual environment and, if you need stricter reproducibility, install a reviewed or pinned version of `requests`.
Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse
SeverityMediumConfidenceHighStatusNote
SKILL.md
Required OAuth Scopes: `read:profile`, `read:body_measurement`, `read:recovery`, `read:sleep`, `read:cycles`, `read:workout`

These scopes grant read access to WHOOP profile, body, sleep, recovery, cycle, and workout data. That access is disclosed and matches the stated purpose, but it is sensitive personal health/account data.

User impactInstalling and authorizing this skill can let the agent retrieve personal WHOOP health metrics, workout history, body measurements, name, and email.
RecommendationAuthorize it only if you are comfortable sharing this WHOOP data with the agent; revoke the WHOOP OAuth grant if you stop using the skill.
Identity and Privilege Abuse
SeverityLowConfidenceHighStatusNote
scripts/whoop_client.py
CREDENTIALS_PATH = Path.home() / ".whoop" / "credentials.json"
TOKEN_PATH = Path.home() / ".whoop" / "token.json"

The client reads local WHOOP OAuth app credentials and stores access/refresh tokens in the user's home directory. This is expected for the integration and the code applies restrictive permissions when saving tokens.

User impactA local token file can keep the WHOOP connection active across sessions, so anyone with access to that file could potentially use the stored token.
RecommendationKeep `~/.whoop/credentials.json` and `~/.whoop/token.json` private, preserve restrictive file permissions, and delete or revoke tokens when no longer needed.