ClawHub

Whoop Skill

Security checks across malware telemetry and agentic risk

Overview

This is a coherent WHOOP health-data CLI, but it handles sensitive health data and persistent OAuth tokens that users should protect.

Install only if you trust the npm/GitHub source and are comfortable granting read access to WHOOP health and profile data. Protect WHOOP_CLIENT_SECRET, do not commit .env files, avoid sharing terminal output or logs, and run whoopskill auth logout or revoke the WHOOP app when you no longer need access.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Rogue AgentSelf-Modification, Session Persistence
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Tp4

High
Category
MCP Tool Poisoning
Confidence
88% confidence
Finding
The documented purpose understates the actual behavior by omitting significant security-relevant actions such as OAuth browser-based login, token persistence under ~/.whoop-cli/tokens.json, token refresh, and retrieval of additional personal profile/body data. This can mislead users into granting access without understanding that long-lived credentials and broader sensitive health/identity data will be stored and processed locally.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The documentation includes examples of highly sensitive health and identity data and notes local token storage, but does not clearly warn users about privacy risks, credential sensitivity, or the consequences of exposing stdout/logged output. In contexts involving health metrics, profile data, and OAuth tokens, inadequate privacy disclosure increases the chance of accidental leakage through shell history, terminal logs, screenshots, backups, or weak filesystem protections.

Session Persistence

Medium
Category
Rogue Agent
Content
export WHOOP_REDIRECT_URI=https://your-redirect-uri.com/callback
```

Or create a `.env` file in your working directory.

3. Authenticate:
```bash
Confidence
91% confidence
Finding
create a `.env` file in your working directory. 3. Authenticate: ```bash whoopskill auth login ``` Tokens are stored in `~/.whoop-cli/tokens.json` and auto-refresh when expired. ## Usage ```bash #

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal