Whoop Openclaw Skill
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A copied OAuth code or token could be exposed to a chat platform, bot operator, logs, or the wrong recipient, potentially allowing access to Whoop health data.
OAuth codes and access tokens can grant access to sensitive Whoop health data. Telling users to send them through chat or messaging services is broader and riskier than the local token-exchange flow described elsewhere.
<li>Copy the code/token above</li> <li>Send it to your assistant via Telegram/WhatsApp</li>
Exchange OAuth codes locally with the provided script when possible. Do not send access tokens or refresh tokens through chat; revoke the Whoop app if a token may have been exposed.
Anyone who can read these token files may be able to access the user's Whoop profile, recovery, sleep, strain, and workout data.
The helper saves Whoop access and refresh tokens locally, enabling ongoing API access. This is expected for OAuth integration, but it is sensitive credential storage.
DEFAULT_TOKEN_FILE.write_text(access_token) ... refresh_file.write_text(refresh_token)
Store token files with restrictive permissions, avoid sharing them, and revoke the Whoop application from account settings if the device or files are compromised.
Private health metrics may be visible in prompts, responses, terminal output, or logs depending on how the agent is used.
The skill intentionally retrieves sensitive health and fitness metrics for agent analysis. The artifacts do not show exfiltration or persistent memory of the metrics, but the data may enter the agent's working context and outputs.
Fetch and analyze Whoop recovery, strain, sleep, and HRV data via the Whoop API.
Use the skill only in trusted environments, avoid requesting raw JSON unless needed, and do not paste outputs into untrusted channels.
Installing or running code from the wrong repository or release could expose local credentials or health data.
The documentation points users to external GitHub download/clone options, while the registry source is listed as unknown. This is not inherently unsafe, but provenance should be verified before running helper scripts.
curl -O https://github.com/vraj1512/whoop-clawdbot-skill/releases/latest/download/whoop.skill ... git clone https://github.com/vraj1512/whoop-clawdbot-skill.git
Verify the repository, release, and file contents before installation, and prefer reviewed package sources.