whoop

Fetches and analyzes WHOOP data on sleep, recovery, and workouts, providing insights for health and performance optimization.

Install this skill

or

50/100

Security score

The whoop skill was audited on Feb 9, 2026 and we found 26 security issues across 3 threat categories. Review the findings below before installing.

Categories Tested

Security Issues

medium line 239

Ngrok tunnel reference

SourceSKILL.md

239	ngrok http 3000

medium line 241

Ngrok tunnel reference

SourceSKILL.md

241	# 2) Add the ngrok HTTPS URL + /callback to WHOOP dashboard Redirect URIs, then run:

medium line 242

Ngrok tunnel reference

SourceSKILL.md

242	WHOOP_REDIRECT_URI=https://YOUR-NGROK-DOMAIN.ngrok-free.app/callback node src/auth.js

low line 19

Access to hidden dotfiles in home directory

SourceSKILL.md

19	# 1) One-time setup (writes ~/.clawdbot/whoop/credentials.json)

medium line 91

Access to hidden dotfiles in home directory

SourceSKILL.md

91	This writes `~/.clawdbot/whoop/credentials.json` (and optionally `token.json` if you paste tokens).

medium line 145

Access to hidden dotfiles in home directory

SourceSKILL.md

145	5) Save tokens to `~/.clawdbot/whoop/token.json`:

low line 213

Access to hidden dotfiles in home directory

SourceSKILL.md

213	rm ~/.clawdbot/whoop/token.json

medium line 221

Access to hidden dotfiles in home directory

SourceSKILL.md

221	- Copy the latest `access_token` + `refresh_token` from Postman into `~/.clawdbot/whoop/token.json` and update `obtained_at`.

low line 62

External URL reference

SourceSKILL.md

62	- `openssl` (only needed for the optional `auth.js` flow when using `https://localhost`; Postman auth does not need it)

low line 72

External URL reference

SourceSKILL.md

72	https://oauth.pstmn.io/v1/browser-callback

low line 76

External URL reference

SourceSKILL.md

76	https://localhost:3000/callback

low line 100

External URL reference

SourceSKILL.md

100	- `https://oauth.pstmn.io/v1/browser-callback`

low line 107

External URL reference

SourceSKILL.md

107	https://oauth.pstmn.io/v1/browser-callback

low line 121

External URL reference

SourceSKILL.md

121	https://api.prod.whoop.com/oauth/oauth2/auth

low line 125

External URL reference

SourceSKILL.md

125	https://api.prod.whoop.com/oauth/oauth2/token

low line 151

External URL reference

SourceSKILL.md

151	https://oauth.pstmn.io/v1/browser-callback

low line 166

External URL reference

SourceSKILL.md

166	https://localhost:3000/callback

low line 171

External URL reference

SourceSKILL.md

171	WHOOP_REDIRECT_URI='https://localhost:3000/callback' node src/auth.js

low line 176

External URL reference

SourceSKILL.md

176	WHOOP_REDIRECT_URI='https://localhost:3000/callback' node src/auth.js --manual

low line 202

External URL reference

SourceSKILL.md

202	https://oauth.pstmn.io/v1/browser-callback

low line 206

External URL reference

SourceSKILL.md

206	https://localhost:3000/callback

low line 232

External URL reference

SourceSKILL.md

232	- Redirect URI policy (WHOOP docs only mention `https://` or `whoop://` redirect URIs)

low line 242

External URL reference

SourceSKILL.md

242	WHOOP_REDIRECT_URI=https://YOUR-NGROK-DOMAIN.ngrok-free.app/callback node src/auth.js

low line 250

External URL reference

SourceSKILL.md

250	### If your WHOOP Redirect URL is `https://localhost:3000/callback`

low line 255

External URL reference

SourceSKILL.md

255	WHOOP_REDIRECT_URI=https://localhost:3000/callback node src/auth.js

low line 257

External URL reference

SourceSKILL.md

257	It will generate a self-signed cert locally and your browser will likely show a warning for `https://localhost`.

Scanned on Feb 9, 2026

View Security Dashboard

Install this skill with one command

/learn @openclaw/whoop-central

GitHub Stars 2.2K

Rate this skill

Categorysales

UpdatedMarch 29, 2026

openclaw api customer-success-manager health-informatics data-analyst sales healthcare data analytics

openclaw/skills