WHOOP Health
v1.0.0Fetch, analyze, and visualize WHOOP wearable health data via the WHOOP Developer API v2. Use when the user wants to connect their WHOOP band, retrieve recove...
⭐ 0· 157·0 current·0 all-time
byJIAWEI YIN@jarviyin
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
The skill's name and description (WHOOP API integration) align with the included Python auth and fetch scripts. Minor inconsistencies: the SKILL.md text mentions WHOOP Developer API v2 while the code and references use v1 endpoints (/developer/v1). The registry metadata declares no required config paths/env vars, but the skill expects and uses tokens at ~/.whoop_tokens.json and optionally WHOOP_CLIENT_ID / WHOOP_CLIENT_SECRET.
Instruction Scope
Runtime instructions are scoped to creating a WHOOP developer app, running the included OAuth helper to obtain tokens, and fetching WHOOP data. The instructions only tell the agent to read/write the token file (~/.whoop_tokens.json) and output JSON/CSV files. No steps ask the agent to read unrelated system files or send data to unexpected external endpoints.
Install Mechanism
This is an instruction-only skill with bundled Python scripts; there is no install spec or network download of arbitrary code. The scripts are plain Python and import only standard library modules.
Credentials
The skill does not require any unrelated credentials. It optionally reads WHOOP_CLIENT_ID and WHOOP_CLIENT_SECRET (declared in SKILL.md but not as required in the registry), and it stores tokens in ~/.whoop_tokens.json. The manifest should have declared that config path and the optional env vars; their use is otherwise appropriate for OAuth token refresh and API access.
Persistence & Privilege
The skill writes and reads a token file (~/.whoop_tokens.json) in the user's home directory and sets restrictive file permissions (0o600). always:false (no forced presence). The token file is expected behavior for an OAuth flow, but you should be aware that the token file contains access/refresh tokens stored locally.
Assessment
This skill appears to do what it says: perform OAuth against WHOOP and fetch health data. Before installing or running it: 1) Verify the WHOOP client_id and client_secret come from your WHOOP developer app (the scripts accept these via flags or WHOOP_CLIENT_ID/WHOOP_CLIENT_SECRET env vars). 2) Note the skill saves tokens to ~/.whoop_tokens.json (with 0600 perms) — protect this file and delete/revoke tokens when finished (whoop_auth.py --revoke). 3) The SKILL.md mentions API v2 but the code uses v1 endpoints; confirm the endpoints/versions match the WHOOP API you expect. 4) The auth flow spins up a localhost server on port 8080 for the OAuth redirect — ensure that port is acceptable to use. 5) Review the included scripts yourself (they are small and use only the Python standard library) before running, especially since this handles sensitive health data. If you need the registry metadata corrected (declare the token file path and optional env vars), ask the skill author to update those fields.Like a lobster shell, security has layers — review code before you run it.
latestvk970k4k3g290pnc1ky4q9726j982wstd
License
MIT-0
Free to use, modify, and redistribute. No attribution required.