WHOOP Health
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill is coherent for WHOOP data access, but it handles sensitive health data and persistent OAuth tokens that users should protect and revoke when no longer needed.
This appears safe for its stated purpose if you intend to connect WHOOP. Before using it, create your own WHOOP developer app, confirm the requested read scopes, keep the token file and exported data private, and revoke/delete tokens when you no longer need the integration.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The skill can read sensitive WHOOP account health data, including optional profile and body measurements, until access is revoked or the token expires.
The skill requests WHOOP read scopes covering health, profile, and body-measurement data and stores OAuth tokens locally for later use.
TOKEN_FILE = Path.home() / ".whoop_tokens.json" SCOPES = "read:recovery read:cycles read:workout read:sleep read:profile read:body_measurement"
Only authorize a WHOOP app you created, review the scopes during consent, protect ~/.whoop_tokens.json, and use the documented revoke command when finished.
This is an OAuth hardening gap: under unusual local/racing conditions the helper could accept an unintended authorization response.
The OAuth flow generates and sends a state value, but the callback code shown does not validate the returned state before accepting the authorization code.
state = secrets.token_urlsafe(16)
...
auth_code_holder["code"] = params.get("code", [None])[0]
...
"state": stateAdd returned-state validation, and preferably PKCE, before exchanging the authorization code for tokens.
Exported WHOOP files may contain private health, sleep, workout, profile, and body-measurement data that could be exposed if shared or uploaded in later workflows.
The workflow saves sensitive wearable-health data to local files and then encourages using that data in an agent analysis context.
python3 scripts/whoop_fetch.py --days 7 --format json --output whoop_data.json ... Then ask: "Analyze my HRV trend and sleep performance over the last 30 days."
Store exports in a private location, avoid fetching profile/body_measurement unless needed, and delete or redact files before sharing them.
Running the scripts will access the network, store tokens, and write local output files as part of the documented workflow.
The skill relies on running included Python helper scripts. The execution is user-directed and central to the WHOOP integration.
python3 scripts/whoop_auth.py --client-id YOUR_CLIENT_ID --client-secret YOUR_CLIENT_SECRET ... python3 scripts/whoop_fetch.py --days 7
Run the scripts only from the reviewed skill directory and inspect command arguments before execution.