Whoop
ReviewAudited by ClawScan on May 10, 2026.
Overview
This Whoop skill is coherent and read-only, but it handles sensitive health data and persistent OAuth credentials, so users should review the access carefully.
Before installing, make sure you are comfortable giving this skill read access to your Whoop health, profile, and body-measurement data. Treat generated charts and terminal JSON output as private health information, and revoke/delete tokens when you no longer need the integration.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
After authorization, the skill can continue reading detailed Whoop health data until tokens are deleted or access is revoked.
The skill requests broad read access to Whoop health/profile/body data plus offline refresh capability, and stores OAuth tokens locally.
TOKEN_FILE = os.path.expanduser("~/.clawdbot/whoop-tokens.json") ... SCOPES = "offline read:recovery read:cycles read:workout read:sleep read:profile read:body_measurement"Authorize only if you are comfortable with these read scopes, keep the token file private, avoid sharing client secrets or tokens, and use the logout command or Whoop app revocation when finished.
If the CDN library were compromised or changed unexpectedly, it could affect chart behavior in the local HTML page.
Generated chart pages load an unpinned third-party JavaScript chart library; this is common for charts, but that script runs in a page containing health chart data.
<script src="https://cdn.jsdelivr.net/npm/apexcharts"></script>
For stronger privacy and reproducibility, use a pinned library version with integrity checks or a reviewed local copy of the chart library.