← 返回 Skills 市场
WHOOP Health Data Sync
作者
aikong-cmd
· GitHub ↗
· v1.0.0
· MIT-0
212
总下载
0
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install whoop-health-sync
功能描述
Sync WHOOP health data (recovery, sleep, strain, workouts) to markdown files for AI-powered health insights. Use when user asks about WHOOP data, health metr...
安全使用建议
This skill appears to do what it says (sync WHOOP -> markdown), but there are three things you should check before installing or running it:
1) Remove or inspect the included data/tokens.json: the package contains an access_token and refresh_token. If those tokens are valid, they grant access to WHOOP data. Do NOT install/run with those tokens present; delete or replace tokens.json and run auth.py yourself to create fresh tokens.
2) Expect undeclared dependencies: the scripts invoke the 1Password CLI ('op') and curl via subprocess. Ensure you understand whether you want the skill to access your 1Password vault or a local .op-token file (it looks for ~/.openclaw/.op-token). If you don't use 1Password, set WHOOP_CLIENT_ID/WHOOP_CLIENT_SECRET as environment variables and make sure curl/op aren't available to the runtime if you want to prevent that code path.
3) Sensitive data persistence & automation: the skill stores refresh tokens on disk (allows long-lived access) and writes health reports to ~/.openclaw/workspace/health — consider whether you want those files present on the machine and ensure correct file permissions and that automated cron tasks are scheduled only on machines you trust.
Additional recommendations: inspect auth.py and sync.py locally (they are human-readable), regenerate WHOOP client secrets if you accidentally used any included tokens, and only run this skill on a trusted device. If you need help verifying whether the provided tokens are live, do not paste them here — instead, remove the file and run an auth flow yourself.
功能分析
Type: OpenClaw Skill
Name: whoop-health-sync
Version: 1.0.0
The bundle is a legitimate tool for syncing WHOOP health metrics (recovery, sleep, strain) to local Markdown files. It implements a standard OAuth 2.0 flow using a local callback server in `scripts/auth.py` and handles data retrieval in `scripts/sync.py`. While it uses `curl` to bypass Cloudflare API blocks and can optionally interface with the 1Password CLI (`op`) for credential management, these behaviors are explicitly documented in the `README.md` and `SKILL.md` and are aligned with the stated purpose. No evidence of data exfiltration or malicious intent was found.
能力评估
Purpose & Capability
Name/description match the code: auth.py and sync.py implement WHOOP OAuth and API-sync to markdown files. However the skill bundle includes a data/tokens.json file containing real-looking access/refresh tokens and scopes — shipping tokens with the package is unexpected and disproportionate to the stated purpose (a sample token is understandable, but a live-looking access + refresh token is a sensitive secret and not required for a new user to run the skill).
Instruction Scope
SKILL.md instructions stay within syncing WHOOP data (create developer app, set WHOOP_CLIENT_ID/SECRET or use 1Password, run auth.py, run sync.py). They do instruct manual copying of callback URLs for remote auth and recommend using cron to auto-run the sync and have the agent read/send generated markdown — which means sensitive health files will be regularly written to disk and read by the agent. The code also reads a local .op-token and uses the 1Password CLI if available; that behavior is referenced in docs but is a privilege you should be aware of.
Install Mechanism
No install spec and no remote downloads — the skill is instruction + Python scripts only, so nothing arbitrary will be downloaded or extracted at install time. This is a low-risk install mechanism.
Credentials
Metadata declared no required env vars or binaries, but the SKILL.md and code require WHOOP_CLIENT_ID and WHOOP_CLIENT_SECRET (env or 1Password) and the scripts call external commands ('op' 1Password CLI and 'curl'). The included data/tokens.json contains an access_token and refresh_token (and scopes). Bundling tokens is unsafe and disproportionate; it could expose an account if tokens are valid. Asking to read ~/.openclaw/.op-token to set OP_SERVICE_ACCOUNT_TOKEN gives the skill access to a user's 1Password service token if present — a high-sensitivity capability that wasn't declared in the metadata.
Persistence & Privilege
The skill writes tokens to data/tokens.json and writes health markdown files into the workspace health directory for ongoing use (intended). always:false and no attempt to modify other skills or system settings. Still, tokens (including refresh tokens) are stored on disk with file-permissions set to 600 — standard but worth noting because refresh tokens allow long-term API access. Cron example promotes automated, recurring syncs (broadens exposure if tokens are compromised).
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install whoop-health-sync - 安装完成后,直接呼叫该 Skill 的名称或使用
/whoop-health-sync触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
Initial release: OAuth auth, daily sync, weekly reports, bilingual docs (EN/CN)
元数据
常见问题
WHOOP Health Data Sync 是什么?
Sync WHOOP health data (recovery, sleep, strain, workouts) to markdown files for AI-powered health insights. Use when user asks about WHOOP data, health metr... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 212 次。
如何安装 WHOOP Health Data Sync?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install whoop-health-sync」即可一键安装,无需额外配置。
WHOOP Health Data Sync 是免费的吗?
是的,WHOOP Health Data Sync 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
WHOOP Health Data Sync 支持哪些平台?
WHOOP Health Data Sync 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 WHOOP Health Data Sync?
由 aikong-cmd(@aikong-cmd)开发并维护,当前版本 v1.0.0。
推荐 Skills