← Back to Skills Marketplace
317
Downloads
0
Stars
0
Active Installs
3
Versions
Install in OpenClaw
/install openclaw-whoop
Description
Connect to the WHOOP Developer Platform via official OAuth (authorization code flow), store and refresh tokens, and fetch WHOOP v2 data (recovery, sleep, cyc...
Usage Guidance
This package looks like a reasonable WHOOP OAuth client: it talks only to WHOOP endpoints, stores tokens locally (default ~/.config/openclaw/whoop/token.json), and renders user-facing summaries. Before installing: 1) Confirm the source/owner is trusted — the registry metadata and the SKILL.md disagree about required environment variables; the scripts DO require WHOOP_CLIENT_ID, WHOOP_CLIENT_SECRET, and WHOOP_REDIRECT_URI. 2) Provide only a WHOOP app/client with minimal scopes (e.g., read:recovery, read:sleep, read:cycles). 3) Consider setting WHOOP_TOKEN_PATH to a secure location and verify the token file permissions after creation; revoke the app/client from your WHOOP developer dashboard if you later remove the skill. 4) Understand loopback mode opens a local HTTP listener to capture the OAuth code — only use that if you trust the environment and the redirect URI. 5) Ask the publisher to correct the registry metadata to declare the required env vars and primary credential so automated permission reviews work correctly.
Capability Analysis
Type: OpenClaw Skill
Name: openclaw-whoop
Version: 0.1.2
The skill bundle is a standard and well-implemented integration for the WHOOP API. It follows security best practices by using environment variables for secrets, implementing the official OAuth 2.0 Authorization Code flow, and securing local token storage with restrictive file permissions (0600) in `whoop_token.py`. The scripts (`whoop_fetch.py`, `whoop_oauth_login.py`) use Python's built-in `urllib` to avoid third-party dependency risks, and the instructions in `SKILL.md` are strictly aligned with the stated purpose of fetching and rendering fitness metrics without any evidence of malicious intent or data exfiltration.
Capability Assessment
Purpose & Capability
The name, description, SKILL.md, and included scripts all match: this is an OAuth-based WHOOP client that fetches and renders WHOOP v2 metrics. The requested capabilities (fetching recovery/sleep/cycle/workout/profile data, storing tokens) are coherent with the stated purpose. However the registry metadata declares no required env vars or primary credential while the runtime instructions and code clearly require WHOOP_CLIENT_ID, WHOOP_CLIENT_SECRET, and WHOOP_REDIRECT_URI — that metadata mismatch is suspicious and should be corrected.
Instruction Scope
SKILL.md instructs the agent to perform OAuth login, fetch WHOOP endpoints, normalize and render results, and optionally send via OpenClaw message tool or cron. The included scripts only access the WHOOP API, read/write the designated token file, and operate on input/output JSON files; they do not attempt to read unrelated system files or other credentials. Loopback mode starts a local HTTP listener to capture the OAuth code (standard for authorization code flow).
Install Mechanism
No install spec (instruction-only + bundled scripts). There are no downloads, package installs, or external installers in the manifest — the risk from installation is limited to running the included Python scripts. All code is present in the bundle for review.
Credentials
The scripts legitimately require WHOOP_CLIENT_ID, WHOOP_CLIENT_SECRET, and WHOOP_REDIRECT_URI (and optionally WHOOP_TOKEN_PATH / WHOOP_TZ). Those credentials are proportionate for OAuth. The concern is that the registry metadata lists no required env vars and no primary credential — this mismatch could cause users or automated systems to grant insufficient or excessive permissions unknowingly. Token storage to ~/.config/openclaw/whoop/token.json is expected; the code attempts to set file permissions to 0600.
Persistence & Privilege
The skill does not request special platform privileges or set always:true. It writes a token file under the user's home config directory and creates that directory if needed — this is normal for an OAuth client. It does not modify other skills or system-wide agent settings.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install openclaw-whoop - After installation, invoke the skill by name or use
/openclaw-whoop - Provide required inputs per the skill's parameter spec and get structured output
Version History
v0.1.2
OAuth UX: default remote copy/paste mode; add optional --loopback fast path for same-machine browser authorization.
v0.1.1
Polish SKILL.md intro copy + add minimal quick start; no functional changes.
v0.1.0
Republish under WHOOP-friendly slug (openclaw-whoop). Same contents as [email protected].
Metadata
Frequently Asked Questions
What is WHOOP (Official API)?
Connect to the WHOOP Developer Platform via official OAuth (authorization code flow), store and refresh tokens, and fetch WHOOP v2 data (recovery, sleep, cyc... It is an AI Agent Skill for Claude Code / OpenClaw, with 317 downloads so far.
How do I install WHOOP (Official API)?
Run "/install openclaw-whoop" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is WHOOP (Official API) free?
Yes, WHOOP (Official API) is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does WHOOP (Official API) support?
WHOOP (Official API) is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created WHOOP (Official API)?
It is built and maintained by Gavin C. (@gavinchengcool); the current version is v0.1.2.
More Skills