ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

WHOOP Health Data Sync

v1.0.0

Sync WHOOP health data (recovery, sleep, strain, workouts) to markdown files for AI-powered health insights. Use when user asks about WHOOP data, health metr...

0· 186·0 current·0 all-time
by@aikong-cmd

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for aikong-cmd/whoop-health-sync.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "WHOOP Health Data Sync" (aikong-cmd/whoop-health-sync) from ClawHub.
Skill page: https://clawhub.ai/aikong-cmd/whoop-health-sync
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install whoop-health-sync

ClawHub CLI

Package manager switcher

npx clawhub@latest install whoop-health-sync
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
Purpose & Capability
Name/description match the code: auth.py and sync.py implement WHOOP OAuth and API-sync to markdown files. However the skill bundle includes a data/tokens.json file containing real-looking access/refresh tokens and scopes — shipping tokens with the package is unexpected and disproportionate to the stated purpose (a sample token is understandable, but a live-looking access + refresh token is a sensitive secret and not required for a new user to run the skill).
Instruction Scope
SKILL.md instructions stay within syncing WHOOP data (create developer app, set WHOOP_CLIENT_ID/SECRET or use 1Password, run auth.py, run sync.py). They do instruct manual copying of callback URLs for remote auth and recommend using cron to auto-run the sync and have the agent read/send generated markdown — which means sensitive health files will be regularly written to disk and read by the agent. The code also reads a local .op-token and uses the 1Password CLI if available; that behavior is referenced in docs but is a privilege you should be aware of.
Install Mechanism
No install spec and no remote downloads — the skill is instruction + Python scripts only, so nothing arbitrary will be downloaded or extracted at install time. This is a low-risk install mechanism.
!
Credentials
Metadata declared no required env vars or binaries, but the SKILL.md and code require WHOOP_CLIENT_ID and WHOOP_CLIENT_SECRET (env or 1Password) and the scripts call external commands ('op' 1Password CLI and 'curl'). The included data/tokens.json contains an access_token and refresh_token (and scopes). Bundling tokens is unsafe and disproportionate; it could expose an account if tokens are valid. Asking to read ~/.openclaw/.op-token to set OP_SERVICE_ACCOUNT_TOKEN gives the skill access to a user's 1Password service token if present — a high-sensitivity capability that wasn't declared in the metadata.
Persistence & Privilege
The skill writes tokens to data/tokens.json and writes health markdown files into the workspace health directory for ongoing use (intended). always:false and no attempt to modify other skills or system settings. Still, tokens (including refresh tokens) are stored on disk with file-permissions set to 600 — standard but worth noting because refresh tokens allow long-term API access. Cron example promotes automated, recurring syncs (broadens exposure if tokens are compromised).
What to consider before installing
This skill appears to do what it says (sync WHOOP -> markdown), but there are three things you should check before installing or running it: 1) Remove or inspect the included data/tokens.json: the package contains an access_token and refresh_token. If those tokens are valid, they grant access to WHOOP data. Do NOT install/run with those tokens present; delete or replace tokens.json and run auth.py yourself to create fresh tokens. 2) Expect undeclared dependencies: the scripts invoke the 1Password CLI ('op') and curl via subprocess. Ensure you understand whether you want the skill to access your 1Password vault or a local .op-token file (it looks for ~/.openclaw/.op-token). If you don't use 1Password, set WHOOP_CLIENT_ID/WHOOP_CLIENT_SECRET as environment variables and make sure curl/op aren't available to the runtime if you want to prevent that code path. 3) Sensitive data persistence & automation: the skill stores refresh tokens on disk (allows long-lived access) and writes health reports to ~/.openclaw/workspace/health — consider whether you want those files present on the machine and ensure correct file permissions and that automated cron tasks are scheduled only on machines you trust. Additional recommendations: inspect auth.py and sync.py locally (they are human-readable), regenerate WHOOP client secrets if you accidentally used any included tokens, and only run this skill on a trusted device. If you need help verifying whether the provided tokens are live, do not paste them here — instead, remove the file and run an auth flow yourself.

Like a lobster shell, security has layers — review code before you run it.

latestvk976d8jndp904qy462xca0rg8d837wdp
186downloads
0stars
1versions
Updated 22h ago
v1.0.0
MIT-0
@aikong-cmd
latest
Download

WHOOP Health Data Sync

Sync WHOOP wearable data to health/whoop-YYYY-MM-DD.md files. Pure Python, zero dependencies.

Data Coverage

Recovery (score/HRV/RHR/SpO2/skin temp), Sleep (performance/efficiency/stages/respiratory rate/sleep need/balance), Day Strain (strain/calories/HR), Workouts (sport/duration/strain/HR/zones/distance), Weekly summaries.

Setup

1. Create WHOOP Developer App

  1. Go to https://developer-dashboard.whoop.com/
  2. Create Application → Redirect URI: http://localhost:9527/callback → select all read:* + offline scopes
  3. Note Client ID and Client Secret

2. Store Credentials

Env vars:

export WHOOP_CLIENT_ID="your-id"
export WHOOP_CLIENT_SECRET="your-secret"

Or 1Password: Create Login item named whoop (username=Client ID, password=Client Secret).

3. Authorize (one-time)

Local (browser on same machine):

python3 scripts/auth.py

Remote server (headless):

python3 scripts/auth.py --print-url
# User opens URL in browser, authorizes, copies callback URL back
python3 scripts/auth.py --callback-url "http://localhost:9527/callback?code=xxx&state=yyy"

Tokens auto-refresh via offline scope. Authorize once, runs forever.

Usage

python3 scripts/sync.py              # Sync today
python3 scripts/sync.py --days 7     # Last 7 days
python3 scripts/sync.py --weekly     # Weekly summary
python3 scripts/sync.py --date 2026-03-07  # Specific date

Output: ~/.openclaw/workspace/health/whoop-YYYY-MM-DD.md

Cron (daily auto-sync)

openclaw cron add \
  --name whoop-daily \
  --schedule "0 10 * * *" \
  --timezone Asia/Shanghai \
  --task "Run: python3 ~/.openclaw/workspace/skills/whoop/scripts/sync.py --days 2. Then read the generated markdown files and send me the latest day's report."

Troubleshooting

ProblemFix
No tokens foundRun auth.py first
Token refresh failed (403)Re-run auth.py to re-authorize
error code: 1010Cloudflare block — uses curl to avoid. Check network
No data for dateWHOOP finalizes sleep after waking; try later

Agent Notes

  • When user asks to re-authorize: run auth.py --print-url, send URL, wait for callback URL
  • After authorization: verify with sync.py --days 1
  • Token exchange uses curl to bypass Cloudflare blocking Python urllib

Comments

Loading comments...