Access Whoop wearable health data (sleep, recovery, strain, HRV, workouts) and generate interactive charts. Use when the user asks about sleep quality, recovery scores, strain levels, HRV trends, workout data, or wants health visualizations/graphs from their Whoop band.
Security Analysis
high confidenceThe skill is a coherent Whoop integration: its code, instructions, and requested OAuth flow match the stated purpose and do not request unrelated credentials or perform unexpected network calls.
Name/description (Whoop health data + charts) align with the included scripts: authentication, data fetch, and chart generation. The OAuth client_id/secret + redirect flow are expected for this integration; no unrelated services or credentials are requested.
SKILL.md stays within the Whoop integration scope (create developer app, run local OAuth flow, fetch Whoop endpoints, generate charts). It documents where tokens are stored (~/.clawdbot/whoop-tokens.json). Minor notes: the README mentions Chart.js but the script uses ApexCharts; charts load a remote CDN (jsdelivr) when the HTML is opened.
No install spec — instruction-only runtime with bundled scripts. Nothing is downloaded or extracted by an installer. The only external resource is the charts JS loaded from a public CDN when opening the generated HTML.
No environment variables or unrelated credentials are requested. The tool stores sensitive items (access_token, refresh_token, client_id, client_secret) in ~/.clawdbot/whoop-tokens.json (the code attempts to chmod 600). Storing client_secret and refresh_token is expected for offline OAuth refresh, but the token file contains secrets and the 'token' subcommand prints the access token to stdout (risk of logging/exfiltration if run in shared or logged shells).
always:false and no modification of other skills or system-wide config. The skill writes a token file to the user's home directory (normal for OAuth clients) and temporarily binds a local HTTP server on port 9876 for the OAuth callback; both are scoped to the user's environment.
Guidance
This skill appears to do exactly what it says: authenticate with Whoop, fetch your wearable data, and make charts. Before installing/running, consider: 1) The OAuth flow saves your client_id, client_secret, access_token, and refresh_token to ~/.clawdbot/whoop-tokens.json — review and protect that file (it is written with 0o600 where possible). 2) The `token` command prints the access token to stdout; avoid running commands in contexts that log terminal output or share stdout. 3) Generated HTML pages load charting code from a CDN (jsdelivr); opening them requires a network request and is a minor supply-chain/privacy risk — if you prefer, host a local copy of the charting library. 4) The local OAuth callback uses port 9876; ensure that port is available and acceptable in your environment. 5) If you want least-privilege, create the Whoop app with only the scopes you need instead of selecting all. Review the repository files locally before running and delete the token file (whoop_auth.py logout) when you no longer want persistent access.
Latest Release
v1.1.0
Upgraded charts to ApexCharts: zoom/pan, gradient fills, recovery zone annotations, HRV 7-day moving average, short date labels, smooth animations. Fixed dashboard rendering issues.
Popular Skills
Published by @rodrigouroz on ClawHub
