Whoop Openclaw Skill

The skill bundle is a well-structured and functional integration for the Whoop API. All Python scripts interact exclusively with legitimate Whoop API endpoints for data fetching and OAuth. Token handling is secure, using standard locations (`~/.whoop_token`, `~/.whoop_refresh_token`) and practices (e.g., CSRF protection). There are no shell injection vulnerabilities, no attempts to access sensitive files outside of designated token files, and no data exfiltration to unauthorized external endpoints. The `SKILL.md` and `README.md` provide instructions for the AI agent to execute the skill's own benign scripts, with no evidence of prompt injection to subvert the agent's purpose. The OAuth HTML pages are client-side and perform standard redirect functions without malicious code.