← Back to Skills Marketplace

WHOOP Morning

Name: WHOOP Morning
Author: borahm

by Borahm · GitHub ↗ · v0.1.1

cross-platform ⚠ suspicious

1946

Downloads

Stars

Active Installs

Versions

Install in OpenClaw

/install whoop-morning

Description

Check WHOOP recovery/sleep/strain each morning and send suggestions.

Usage Guidance

This skill mostly does what it says (WHOOP OAuth and daily suggestions), but there are mismatches you should resolve before installing: 1) SKILL.md expects two executable scripts (whoop-auth and whoop-morning) at /home/claw/… but those binaries are not present in the package — confirm their origin and inspect them before running. 2) The registry metadata does not list the required env vars even though SKILL.md does — verify which variables the runtime actually needs. 3) The skill will store your WHOOP_CLIENT_ID/SECRET and tokens in ~/.clawdbot/.env and ~/.cache/whoop-morning/tokens.json; treat these as sensitive, check file permissions, and consider using a dedicated WHOOP account or rotating credentials after testing. Recommended actions: obtain and review the whoop-auth/whoop-morning binaries (or request the author publish the full package), verify no unexpected network endpoints are contacted by those binaries, and only then provide your WHOOP credentials.

Capability Analysis

Type: OpenClaw Skill Name: whoop-morning Version: 0.1.1 The skill is designed to interact with the WHOOP API to fetch user data and provide suggestions. It handles OAuth tokens by requiring them as environment variables (`WHOOP_CLIENT_ID`, `WHOOP_CLIENT_SECRET`, `WHOOP_REFRESH_TOKEN`) and storing access tokens in a user-specific cache directory (`~/.cache/whoop-morning/tokens.json`) via `lib/tokens.js`. The `SKILL.md` provides clear setup instructions for the user, including an OAuth authorization flow, and does not contain any prompt injection attempts against the AI agent. There is no evidence of data exfiltration, malicious execution, persistence mechanisms, or obfuscation. All operations appear to be aligned with the stated purpose.

Capability Assessment

ℹ Purpose & Capability

The skill's stated goal (fetch WHOOP recovery/sleep/strain and produce suggestions) matches the OAuth env vars and token cache behavior described in SKILL.md and implemented in lib/tokens.js. However, SKILL.md expects helper binaries (whoop-auth and whoop-morning) to exist at /home/claw/... but the package manifest only contains SKILL.md and lib/tokens.js — the referenced binaries are not present. Also the registry metadata listed no required env vars while SKILL.md declares three WHOOP env vars (discrepancy).

ℹ Instruction Scope

Instructions are narrowly scoped to performing OAuth, storing credentials in ~/.clawdbot/.env, and running the two binaries. They do not ask to read unrelated system files or transmit data to third-party endpoints beyond WHOOP's API. Concern: the instructions hard-code platform-specific paths (/home/claw/...) and reference binaries that are not included, which could lead users to run unknown binaries elsewhere if provided separately.

ℹ Install Mechanism

There is no install spec (instruction-only), which is low-risk in isolation. But SKILL.md refers to bundled binaries under a skill path; those binaries are missing from the file manifest. That mismatch is suspicious because it forces the user to obtain or run binaries from another source (or assumes an environment layout), increasing risk.

✓ Credentials

The only secrets requested in SKILL.md are WHOOP_CLIENT_ID, WHOOP_CLIENT_SECRET, and WHOOP_REFRESH_TOKEN — all appropriate for a WHOOP OAuth integration. The code reads HOME and stores tokens under ~/.cache/whoop-morning and SKILL.md directs storing client secrets in ~/.clawdbot/.env — these uses are proportionate. Note the registry metadata's omission of required env vars is inconsistent with SKILL.md.

✓ Persistence & Privilege

The skill does persist tokens locally (writes tokens.json in ~/.cache/whoop-morning and updates ~/.clawdbot/.env), which is expected for an OAuth flow. It does not request always:true and does not attempt to modify other skills' configs. Ensure file permissions and local token handling are appropriate.

How to Use

Make sure OpenClaw is installed (local or Docker)
Run the install command in chat: /install whoop-morning
After installation, invoke the skill by name or use /whoop-morning
Provide required inputs per the skill's parameter spec and get structured output

Version History

v0.1.1

Fix: use WHOOP v2 API endpoints; add token caching/rotation handling; docs improvements.

v0.1.0

Initial release: WHOOP morning check-in (recovery/sleep/strain) with suggestions; uses OAuth refresh token from ~/.clawdbot/.env.

Metadata

Slug whoop-morning

Version 0.1.1

License —

All-time Installs 1

Active Installs 1

Total Versions 2

Frequently Asked Questions

What is WHOOP Morning?

Check WHOOP recovery/sleep/strain each morning and send suggestions. It is an AI Agent Skill for Claude Code / OpenClaw, with 1946 downloads so far.

How do I install WHOOP Morning?

Run "/install whoop-morning" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is WHOOP Morning free?

Yes, WHOOP Morning is completely free (open-source). You can download, install and use it at no cost.

Which platforms does WHOOP Morning support?

WHOOP Morning is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created WHOOP Morning?

It is built and maintained by Borahm (@borahm); the current version is v0.1.1.

More Skills