Whop
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This is a coherent Whop business-operations guide with no code, but it can guide use of Whop API credentials and persistent local business notes, so users should keep scopes and saved data under control.
This skill appears safe to install if you want Whop-specific business and API guidance. Before using advanced features, make sure any Whop API key is scoped appropriately, keep sandbox and production separate, verify webhooks, and review the ~/whop/ memory files so they do not contain secrets or stale business identifiers.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If a broad Whop credential is supplied, API calls may read or affect company resources such as products, payments, stats, webhooks, and embedded access flows.
The skill may use real Whop account or company credentials for advanced API work. This is expected for the integration, but those credentials can carry meaningful business permissions.
Official API accepts a company API key, company scoped JWT, app API key, or user OAuth token as bearer auth
Use environment variables, sandbox credentials for testing, and the narrowest Whop credential or permission set that satisfies the task.
Mistaken API use could inspect the wrong company, mix sandbox and production, or change business configuration if the user asks for mutations.
The advanced workflow guidance covers API surfaces that can expose or change important business data. The artifacts present them as user-directed advanced workflows rather than automatic actions.
The published Whop OpenAPI exposes these high-signal families: ... Payments ... Promo codes ... Webhooks ... Files ... Access tokens ... Stats
Confirm company IDs, sandbox versus production, and intended read/write impact before allowing API actions, especially around payments, promo codes, webhooks, files, and access tokens.
Local memory could reveal business context or cause the agent to reuse stale company, environment, or webhook information in future Whop tasks.
The skill intentionally persists local Whop context for future use. That is aligned with its business-operations purpose, but saved IDs, webhook details, and operating notes may influence later actions.
What You're Saving (internally) ... Company, product, plan, user, affiliate, webhook, and checkout identifiers
Review ~/whop/ periodically, avoid storing secrets, label sandbox versus production clearly, and remove stale IDs or activation preferences.
Installing external development packages can introduce normal package-supply-chain risk in the user's project.
The skill documents optional installation of an external development proxy package. This is purpose-aligned for Whop local app development and is not shown as automatic installation.
pnpm add -D @whop-apps/dev-proxy ... npm install --save-dev @whop-apps/dev-proxy ... The CLI binary is `whop-proxy`.
Install the proxy only when needed, prefer the official package source, pin versions where possible, and review project dependency changes.