Whoop Openclaw Skill
ReviewAudited by ClawScan on May 10, 2026.
Overview
This mostly looks like a legitimate Whoop health-data integration, but it handles persistent OAuth access and one helper page tells users to send OAuth codes or tokens through chat, which could expose sensitive health-account access.
Install only if you are comfortable granting read access to your Whoop health data. Prefer the local OAuth exchange flow, do not send tokens through Telegram/WhatsApp or other chats, protect the ~/.whoop_token and ~/.whoop_refresh_token files, and revoke the Whoop app if access is no longer needed.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A copied OAuth code or token could be exposed to a chat platform, bot operator, logs, or the wrong recipient, potentially allowing access to Whoop health data.
OAuth codes and access tokens can grant access to sensitive Whoop health data. Telling users to send them through chat or messaging services is broader and riskier than the local token-exchange flow described elsewhere.
<li>Copy the code/token above</li> <li>Send it to your assistant via Telegram/WhatsApp</li>
Exchange OAuth codes locally with the provided script when possible. Do not send access tokens or refresh tokens through chat; revoke the Whoop app if a token may have been exposed.
Anyone who can read these token files may be able to access the user's Whoop profile, recovery, sleep, strain, and workout data.
The helper saves Whoop access and refresh tokens locally, enabling ongoing API access. This is expected for OAuth integration, but it is sensitive credential storage.
DEFAULT_TOKEN_FILE.write_text(access_token) ... refresh_file.write_text(refresh_token)
Store token files with restrictive permissions, avoid sharing them, and revoke the Whoop application from account settings if the device or files are compromised.
Private health metrics may be visible in prompts, responses, terminal output, or logs depending on how the agent is used.
The skill intentionally retrieves sensitive health and fitness metrics for agent analysis. The artifacts do not show exfiltration or persistent memory of the metrics, but the data may enter the agent's working context and outputs.
Fetch and analyze Whoop recovery, strain, sleep, and HRV data via the Whoop API.
Use the skill only in trusted environments, avoid requesting raw JSON unless needed, and do not paste outputs into untrusted channels.
Installing or running code from the wrong repository or release could expose local credentials or health data.
The documentation points users to external GitHub download/clone options, while the registry source is listed as unknown. This is not inherently unsafe, but provenance should be verified before running helper scripts.
curl -O https://github.com/vraj1512/whoop-clawdbot-skill/releases/latest/download/whoop.skill ... git clone https://github.com/vraj1512/whoop-clawdbot-skill.git
Verify the repository, release, and file contents before installation, and prefer reviewed package sources.