Whoo CLI
ReviewAudited by ClawScan on May 1, 2026.
Overview
The skill is coherent for retrieving WHOOP health data, but it relies on a third-party CLI and OAuth access to sensitive personal health metrics.
Before installing, confirm you trust the `@luisgot/whoo` CLI source and are comfortable granting it WHOOP OAuth access. Use the documented logout/revocation path when finished, and keep raw health-data outputs private.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing the CLI gives third-party code local execution rights and later access to WHOOP OAuth credentials/tokens.
The skill asks the user to install an external global CLI package that is not included in the submitted artifacts. This is central to the skill's purpose and is user-directed, but package provenance should be verified.
Source: https://github.com/LuisGot/whoo bun add -g @luisgot/whoo # requires Bun 1.3+ # or: npm install -g @luisgot/whoo
Verify the GitHub/npm package, maintainer, and version before installing; prefer a pinned, trusted release if available.
The CLI can access WHOOP account data after login until the stored credentials are removed or revoked.
The skill requires WHOOP OAuth setup and persistent tokens. This is expected for retrieving the user's WHOOP data, but it grants continuing account access to sensitive health data.
Create a developer app at <https://developer.whoop.com> and note your `client_id` and `client_secret`... Run `whoo login`... Tokens are persisted to the OS config directory and refresh automatically.
Use this only with a WHOOP account you intend to connect, avoid sharing credentials, and use `whoo logout` or revoke the app if you no longer want access.
Your recovery, sleep, heart-rate, SpO2, and profile/body data may appear in the chat context when you ask the skill to retrieve it.
The skill intentionally brings sensitive health data into the conversation context. The artifact includes privacy guidance, so this is disclosed and purpose-aligned.
This skill processes sensitive personal health data (recovery, HRV, sleep, SpO2). Process it locally within this conversation only. Do not forward raw output to external APIs, logs, or third-party services.
Only request data you are comfortable sharing in the conversation, and avoid copying raw outputs into other tools or public places.