Back to skill

Security audit

Whoop

Security checks across malware telemetry and agentic risk

Overview

This Whoop skill appears purpose-built, but it deserves review because it handles sensitive health data and includes avoidable credential-exposure paths.

Install only if you are comfortable granting read access to Whoop sleep, recovery, cycle, workout, profile, and body-measurement data with offline refresh. Treat terminal output, generated chart HTML, and ~/.clawdbot/whoop-tokens.json as private health and credential material. Avoid using the token command, consider deleting tokens with logout when finished, and be aware that charts auto-open and load a third-party chart library.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (10)

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill invokes shell commands, performs network access to the Whoop API, reads reference files, and writes sensitive OAuth tokens locally, yet it declares no permissions or trust boundaries. This creates a transparency and consent problem: users and hosting systems are not clearly informed that the skill can access external services and persist sensitive data on disk.

Tp4

High
Category
MCP Tool Poisoning
Confidence
91% confidence
Finding
The declared description emphasizes viewing health data and generating charts, but the skill also performs OAuth account linkage, token storage/refresh, and accesses profile and body-measurement data. That mismatch can cause users to authorize broader data collection and account access than they reasonably expect, especially given the sensitivity of health-related information.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The script exposes profile and body-measurement retrieval commands even though the stated skill purpose is focused on sleep, recovery, strain, workout data, and charting. This broadens access to additional sensitive personal and biometric data beyond the expected scope, increasing privacy risk and violating least-privilege/data-minimization principles.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
User profile retrieval is not necessary for the described function of analyzing and visualizing Whoop health metrics. Accessing profile data can expose identifying information unrelated to the requested analytics, creating unnecessary privacy exposure if output is logged, displayed, or forwarded.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
Body measurement retrieval extends the skill into accessing additional biometric data that is more sensitive than the manifest suggests. Because the script prints raw results to stdout, unnecessary body data could be exposed to logs, downstream tools, or other components without a clear need.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill handles highly sensitive health data and stores OAuth tokens in a local file, but it does not present a prominent privacy warning or local-storage risk disclosure. Users may unknowingly leave bearer tokens and personal health information exposed to other local users, backups, or malware on the host.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script persists the OAuth client_secret alongside user access and refresh tokens in a local JSON file. If the local account, backup system, logs, or another process can read that file, an attacker gains both long-lived refresh capability and the client credential, increasing the chance of account compromise and unauthorized API access.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
Printing the current access token directly to stdout can expose it through terminal history, shell capture, process supervisors, CI logs, clipboard tools, or other monitoring mechanisms. Any party that obtains the token may be able to call the Whoop API as the user until the token expires, and refresh may also occur automatically beforehand.

Missing User Warnings

Medium
Confidence
85% confidence
Finding
The code retrieves sensitive health data from the Whoop API and later emits results as JSON to stdout, but there is no warning, consent checkpoint, or output-sanitization step. In agent environments, stdout may be captured in logs, traces, or tool outputs, which can unintentionally disclose protected health and biometric information.

Credential Access

High
Category
Privilege Escalation
Content
login_p.add_argument("--client-id", required=True)
    login_p.add_argument("--client-secret", required=True)

    sub.add_parser("token", help="Print current access token")
    sub.add_parser("status", help="Show auth status")
    sub.add_parser("logout", help="Delete stored tokens")
Confidence
96% confidence
Finding
access token

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.