Whoop Skill
v1.1.0WHOOP CLI with health insights, trends analysis, and data fetching (sleep, recovery, HRV, strain).
⭐ 1· 2.2k·3 current·4 all-time
by@koala73
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name/description (WHOOP CLI, metrics, insights) matches the code and required environment variables (WHOOP_CLIENT_ID, WHOOP_CLIENT_SECRET, WHOOP_REDIRECT_URI) and the only required binary is node — all appropriate for an OAuth-based WHOOP CLI.
Instruction Scope
SKILL.md and the CLI code only instruct the agent/user to perform WHOOP OAuth/login, fetch WHOOP API endpoints, and optionally run a refresh monitor. There are no instructions to read unrelated files, contact external endpoints other than api.prod.whoop.com, or collect unrelated system data.
Install Mechanism
SKILL.md metadata suggests an npm install (whoopskill) which is a standard distribution channel. The repository also contains full source and a package.json/package-lock. Registry metadata summary indicated 'no install spec / instruction-only' — that mismatch between registry metadata and the SKILL.md/package files is a minor inconsistency you may want to confirm (it means the skill is distributed as code/npm package, not purely docs). No downloads from untrusted URLs or obscure hosts were found.
Credentials
The skill only requires WHOOP OAuth credentials and uses them for token exchange and refresh. These environment variables are necessary for the described OAuth flow; no unrelated secrets or broad permissions are requested.
Persistence & Privilege
The CLI stores OAuth tokens at ~/.whoop-cli/tokens.json and sets restrictive permissions (dir 0o700, file chmod 0o600). This is expected for an OAuth CLI, but be aware tokens are kept on-disk (clearTokens writes an empty file rather than removing it). The skill does not request 'always:true' or modify other skills/configs.
Assessment
This skill appears to do exactly what it says: run a WHOOP OAuth flow, store tokens locally, and call the WHOOP API. Before installing or running it:
- Only provide WHOOP_CLIENT_ID, WHOOP_CLIENT_SECRET and WHOOP_REDIRECT_URI from your WHOOP developer app (these are needed for OAuth). Treat the client secret like any other secret.
- Tokens are stored at ~/.whoop-cli/tokens.json with restrictive permissions (0o600); if you use shared machines or CI, consider where that file will live and who can read it. Revoke the refresh token from your WHOOP developer console if you suspect compromise.
- The package is intended for npm install -g whoopskill; verify you install the official package name and review the GitHub source (https://github.com/koala73/whoopskill) if you want extra assurance.
- Minor inconsistencies: registry metadata said instruction-only while the bundle contains source and an npm package; package-lock and package.json show slightly different versions — this is not an immediate red flag but worth verifying the release you install.
- If you plan to run this in automation (cron/systemd), avoid embedding client secrets in widely-readable locations; prefer a protected environment and rotate credentials if needed.Like a lobster shell, security has layers — review code before you run it.
latestvk976epfh07xbk9nhdepnh2xay57zx1sn
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
💪 Clawdis
Binsnode
EnvWHOOP_CLIENT_ID, WHOOP_CLIENT_SECRET, WHOOP_REDIRECT_URI