← Back to Skills Marketplace
vraj1512

Whoop Openclaw Skill

by Vraj anandpara · GitHub ↗ · v1.0.0
cross-platform ⚠ suspicious
534
Downloads
2
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install whoop-openclaw-skill
Description
Fetch and analyze Whoop recovery, strain, sleep, and HRV data via the Whoop API. Use when the user asks about their Whoop metrics, recovery status, sleep qua...
Usage Guidance
This skill largely does what it claims (fetch Whoop data via OAuth). Before installing or running it, consider the following: - Metadata vs reality: The registry metadata lists no required credentials, but you must create a Whoop Developer app and provide client_id and client_secret in whoop-config.json (and the code can also read WHOOP_API_TOKEN). Treat those as sensitive secrets. - Token storage: The scripts save full access and refresh tokens to ~/.whoop_token and ~/.whoop_refresh_token (plain text). If you use it, ensure the files have restrictive permissions and run it on a trusted machine. - DO NOT follow the redirect.html instruction to send codes or tokens over chat (Telegram/WhatsApp) — that would leak your Whoop access to third parties. Prefer performing the exchange locally with whoop_oauth.py as documented in SKILL.md. - Audit and host redirect/privacy pages on a domain you control (or GitHub Pages) so you know where the auth flow points. Don't use strangers' hosted pages. - If you proceed: review the included scripts yourself, run them locally, avoid pasting tokens into external services, and if you suspect any leak revoke the app/refresh tokens in your Whoop developer settings. Summary action items: verify source/trust of this package (source unknown), update metadata/ask the publisher to declare required credentials, inspect file permissions for token files, and never transmit auth codes/tokens via untrusted messaging.
Capability Analysis
Type: OpenClaw Skill Name: whoop-openclaw-skill Version: 1.0.0 The skill bundle is a well-structured and functional integration for the Whoop API. All Python scripts interact exclusively with legitimate Whoop API endpoints for data fetching and OAuth. Token handling is secure, using standard locations (`~/.whoop_token`, `~/.whoop_refresh_token`) and practices (e.g., CSRF protection). There are no shell injection vulnerabilities, no attempts to access sensitive files outside of designated token files, and no data exfiltration to unauthorized external endpoints. The `SKILL.md` and `README.md` provide instructions for the AI agent to execute the skill's own benign scripts, with no evidence of prompt injection to subvert the agent's purpose. The OAuth HTML pages are client-side and perform standard redirect functions without malicious code.
Capability Assessment
Purpose & Capability
The code (whoop_oauth.py, whoop_client.py, morning_briefing.py) implements the claimed Whoop data fetch and analysis features and uses OAuth tokens as expected. However, the registry metadata declares no required credentials or environment variables while the code requires client_id/client_secret (in whoop-config.json) and optionally reads WHOOP_API_TOKEN; this mismatch should have been declared in the skill metadata.
Instruction Scope
SKILL.md's runtime instructions are generally scoped to OAuth and local use, but an included redirect.html explicitly instructs users to 'Send it to your assistant via Telegram/WhatsApp' and auto-copies auth codes/tokens to the clipboard. That encourages transmitting sensitive tokens over external messaging channels. The code also prints token fragments to stdout and writes full tokens to ~/.whoop_token and .whoop_refresh_token — expected for a local client but sensitive.
Install Mechanism
This is an instruction-and-script skill with no install spec; the files are provided and the scripts run locally. There is no remote download/install step embedded in the skill files that would pull arbitrary executables at runtime. README suggests optional curl/git clone from GitHub releases, which is a normal distribution mechanism.
Credentials
The skill requires OAuth credentials (client_id, client_secret, redirect_uri) and persists access/refresh tokens to the user's home directory, but the registry metadata lists no required env vars or primary credential. The code also accepts WHOOP_API_TOKEN from the environment though this is not declared. These undeclared credential requirements and local token storage are proportional to the stated purpose but should be declared by the skill.
Persistence & Privilege
The skill stores tokens in ~/.whoop_token and ~/.whoop_refresh_token and will refresh tokens automatically — reasonable for a client that maintains a session. always:false and normal invocation are used. It does not modify other skills or system settings. The main concern is persistent storage of sensitive tokens and the skill's instructions (redirect page) that could cause users to leak those tokens.
How to Use
  1. Make sure OpenClaw is installed (local or Docker)
  2. Run the install command in chat: /install whoop-openclaw-skill
  3. After installation, invoke the skill by name or use /whoop-openclaw-skill
  4. Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
Initial public release of whoop-openclaw - Enables fetching and analyzing Whoop recovery, strain, sleep, HRV, and workout data via the Whoop API. - Provides setup instructions for OAuth authentication and connecting a Whoop account. - Supports commands for daily summaries, weekly analyses, and insight generation based on user metrics. - Includes troubleshooting steps for common setup and API issues. - Offers recommendations for health, recovery, and training based on real-time Whoop data.
Metadata
Slug whoop-openclaw-skill
Version 1.0.0
License
All-time Installs 0
Active Installs 0
Total Versions 1
Frequently Asked Questions

What is Whoop Openclaw Skill?

Fetch and analyze Whoop recovery, strain, sleep, and HRV data via the Whoop API. Use when the user asks about their Whoop metrics, recovery status, sleep qua... It is an AI Agent Skill for Claude Code / OpenClaw, with 534 downloads so far.

How do I install Whoop Openclaw Skill?

Run "/install whoop-openclaw-skill" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Whoop Openclaw Skill free?

Yes, Whoop Openclaw Skill is completely free (open-source). You can download, install and use it at no cost.

Which platforms does Whoop Openclaw Skill support?

Whoop Openclaw Skill is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created Whoop Openclaw Skill?

It is built and maintained by Vraj anandpara (@vraj1512); the current version is v1.0.0.

More Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463556 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259610 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200551 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191226 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190235 · by oswalpalash

💬 Comments