Whoop Skill
PassAudited by ClawScan on May 10, 2026.
Overview
This appears to be a coherent WHOOP health-data CLI, but it necessarily handles sensitive health data and persistent OAuth tokens.
Before installing, make sure you trust the npm/GitHub package, understand that it can access your WHOOP health/profile data, and protect the local token file at ~/.whoop-cli/tokens.json. The reviewed artifacts do not show malicious behavior or unrelated data transmission.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing it gives the npm package executable code on your machine.
The skill is installed as a global npm package, which is normal for a CLI but means package provenance and dependencies matter.
Install: `npm install -g whoopskill`
Install only from the expected npm/GitHub source and review package provenance if you are sensitive to supply-chain risk.
The CLI, and an agent invoking it, can read sensitive WHOOP health data after authentication.
The OAuth flow requests read access to multiple sensitive WHOOP health/profile data categories plus offline refresh access.
const SCOPES = 'read:profile read:body_measurement read:workout read:recovery read:sleep read:cycles offline';
Use only if you are comfortable granting these read scopes; revoke the WHOOP app or run `whoopskill auth logout` when no longer needed.
Anyone who can read that token file could potentially access your WHOOP data until the token is revoked or expired.
The skill persistently stores OAuth access and refresh tokens locally, with restrictive permissions.
const TOKEN_FILE = join(CONFIG_DIR, 'tokens.json'); ... writeFileSync(TOKEN_FILE, JSON.stringify(data, null, 2)); chmodSync(TOKEN_FILE, 0o600);
Protect your home directory and token file, avoid sharing terminal logs or backups containing it, and log out/revoke access if needed.
Your WHOOP data is fetched from WHOOP and printed to stdout, where it may be visible to the agent, terminal, shell history redirection, or downstream tools.
The CLI sends the WHOOP bearer token to the configured WHOOP API endpoint to fetch data; this is expected provider communication for the stated purpose.
const url = new URL(BASE_URL + endpoint); ... Authorization: `Bearer ${tokens.access_token}`Be careful where you run commands and where you redirect or paste the output, because it can contain personal health and profile data.