← Back to Skills Marketplace
aikong-cmd

WHOOP Health Data Sync

by aikong-cmd · GitHub ↗ · v1.0.0 · MIT-0
cross-platform ⚠ suspicious
212
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install whoop-health-sync
Description
Sync WHOOP health data (recovery, sleep, strain, workouts) to markdown files for AI-powered health insights. Use when user asks about WHOOP data, health metr...
Usage Guidance
This skill appears to do what it says (sync WHOOP -> markdown), but there are three things you should check before installing or running it: 1) Remove or inspect the included data/tokens.json: the package contains an access_token and refresh_token. If those tokens are valid, they grant access to WHOOP data. Do NOT install/run with those tokens present; delete or replace tokens.json and run auth.py yourself to create fresh tokens. 2) Expect undeclared dependencies: the scripts invoke the 1Password CLI ('op') and curl via subprocess. Ensure you understand whether you want the skill to access your 1Password vault or a local .op-token file (it looks for ~/.openclaw/.op-token). If you don't use 1Password, set WHOOP_CLIENT_ID/WHOOP_CLIENT_SECRET as environment variables and make sure curl/op aren't available to the runtime if you want to prevent that code path. 3) Sensitive data persistence & automation: the skill stores refresh tokens on disk (allows long-lived access) and writes health reports to ~/.openclaw/workspace/health — consider whether you want those files present on the machine and ensure correct file permissions and that automated cron tasks are scheduled only on machines you trust. Additional recommendations: inspect auth.py and sync.py locally (they are human-readable), regenerate WHOOP client secrets if you accidentally used any included tokens, and only run this skill on a trusted device. If you need help verifying whether the provided tokens are live, do not paste them here — instead, remove the file and run an auth flow yourself.
Capability Analysis
Type: OpenClaw Skill Name: whoop-health-sync Version: 1.0.0 The bundle is a legitimate tool for syncing WHOOP health metrics (recovery, sleep, strain) to local Markdown files. It implements a standard OAuth 2.0 flow using a local callback server in `scripts/auth.py` and handles data retrieval in `scripts/sync.py`. While it uses `curl` to bypass Cloudflare API blocks and can optionally interface with the 1Password CLI (`op`) for credential management, these behaviors are explicitly documented in the `README.md` and `SKILL.md` and are aligned with the stated purpose. No evidence of data exfiltration or malicious intent was found.
Capability Assessment
Purpose & Capability
Name/description match the code: auth.py and sync.py implement WHOOP OAuth and API-sync to markdown files. However the skill bundle includes a data/tokens.json file containing real-looking access/refresh tokens and scopes — shipping tokens with the package is unexpected and disproportionate to the stated purpose (a sample token is understandable, but a live-looking access + refresh token is a sensitive secret and not required for a new user to run the skill).
Instruction Scope
SKILL.md instructions stay within syncing WHOOP data (create developer app, set WHOOP_CLIENT_ID/SECRET or use 1Password, run auth.py, run sync.py). They do instruct manual copying of callback URLs for remote auth and recommend using cron to auto-run the sync and have the agent read/send generated markdown — which means sensitive health files will be regularly written to disk and read by the agent. The code also reads a local .op-token and uses the 1Password CLI if available; that behavior is referenced in docs but is a privilege you should be aware of.
Install Mechanism
No install spec and no remote downloads — the skill is instruction + Python scripts only, so nothing arbitrary will be downloaded or extracted at install time. This is a low-risk install mechanism.
Credentials
Metadata declared no required env vars or binaries, but the SKILL.md and code require WHOOP_CLIENT_ID and WHOOP_CLIENT_SECRET (env or 1Password) and the scripts call external commands ('op' 1Password CLI and 'curl'). The included data/tokens.json contains an access_token and refresh_token (and scopes). Bundling tokens is unsafe and disproportionate; it could expose an account if tokens are valid. Asking to read ~/.openclaw/.op-token to set OP_SERVICE_ACCOUNT_TOKEN gives the skill access to a user's 1Password service token if present — a high-sensitivity capability that wasn't declared in the metadata.
Persistence & Privilege
The skill writes tokens to data/tokens.json and writes health markdown files into the workspace health directory for ongoing use (intended). always:false and no attempt to modify other skills or system settings. Still, tokens (including refresh tokens) are stored on disk with file-permissions set to 600 — standard but worth noting because refresh tokens allow long-term API access. Cron example promotes automated, recurring syncs (broadens exposure if tokens are compromised).
How to Use
  1. Make sure OpenClaw is installed (local or Docker)
  2. Run the install command in chat: /install whoop-health-sync
  3. After installation, invoke the skill by name or use /whoop-health-sync
  4. Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
Initial release: OAuth auth, daily sync, weekly reports, bilingual docs (EN/CN)
Metadata
Slug whoop-health-sync
Version 1.0.0
License MIT-0
All-time Installs 0
Active Installs 0
Total Versions 1
Frequently Asked Questions

What is WHOOP Health Data Sync?

Sync WHOOP health data (recovery, sleep, strain, workouts) to markdown files for AI-powered health insights. Use when user asks about WHOOP data, health metr... It is an AI Agent Skill for Claude Code / OpenClaw, with 212 downloads so far.

How do I install WHOOP Health Data Sync?

Run "/install whoop-health-sync" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is WHOOP Health Data Sync free?

Yes, WHOOP Health Data Sync is completely free, licensed under MIT-0. You can download, install and use it at no cost.

Which platforms does WHOOP Health Data Sync support?

WHOOP Health Data Sync is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created WHOOP Health Data Sync?

It is built and maintained by aikong-cmd (@aikong-cmd); the current version is v1.0.0.

More Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463815 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259802 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200680 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191345 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190333 · by oswalpalash

💬 Comments