ClawHub
Back to skill
v1.1.0

Whoop Skill

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 4:44 AM.

Analysis

This WHOOP CLI appears to do what it says—read WHOOP health data through WHOOP OAuth—but it requires persistent access to sensitive health-account data.

GuidanceBefore installing, be comfortable granting read access to your WHOOP health data, protect the WHOOP client secret and local token file, treat CLI output as sensitive, and install only from the expected npm/GitHub source.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Agentic Supply Chain Vulnerabilities
SeverityLowConfidenceMediumStatusNote
SKILL.md
Install: `npm install -g whoopskill` | [GitHub](https://github.com/koala73/whoopskill)

The skill relies on a global npm package installation, so the published package and dependency provenance matter; this is normal for the stated Node CLI purpose.

User impactYou are trusting the published npm package and its dependencies on your machine.
RecommendationInstall from the expected npm/GitHub source, verify the package name, and avoid look-alike or modified packages.
Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse
SeverityMediumConfidenceHighStatusNote
src/auth/oauth.ts
const SCOPES = 'read:profile read:body_measurement read:workout read:recovery read:sleep read:cycles offline';

The OAuth grant requests read access to multiple WHOOP data classes and an offline refresh capability, matching the skill purpose but giving ongoing access to sensitive health-account data.

User impactLogging in lets the tool read profile, body, sleep, recovery, workout, and cycle data from your WHOOP account.
RecommendationUse only with a WHOOP developer app you control, confirm the requested scopes, and revoke access or run logout when you no longer need the tool.
Identity and Privilege Abuse
SeverityLowConfidenceHighStatusNote
src/auth/tokens.ts
const TOKEN_FILE = join(CONFIG_DIR, 'tokens.json'); ... writeFileSync(TOKEN_FILE, JSON.stringify(data, null, 2)); chmodSync(TOKEN_FILE, 0o600);

Access and refresh tokens are persisted locally with restrictive file permissions so future invocations can authenticate or refresh automatically.

User impactAnyone who can read this token file on your device may be able to use your WHOOP session until the token expires or is revoked.
RecommendationKeep the device account protected, avoid syncing this directory, use `whoopskill auth logout` to clear local tokens, and revoke the app in WHOOP if needed.