Is andreasnlarsen/whoop-cli safe?

https://github.com/openclaw/skills/tree/main/skills/andreasnlarsen/whoop-cli

83
SAFE

The whoop-cli skill has a clean SKILL.md with no prompt injection patterns, good credential-handling guidance, and no malicious install-time behavior — install monitoring shows only an expected GitHub HTTPS connection with all canary files intact. The primary residual risk is that the skill directs the agent to install and invoke an unaudited npm package and to optionally run 'whoop openclaw install-skill --force', creating a second-order code execution path not covered by this audit. A minor version mismatch between the skill metadata and the npm pin adds low-level supply-chain ambiguity.

Category Scores

Prompt Injection 85/100 · 30%
Data Exfiltration 85/100 · 25%
Code Execution 72/100 · 20%
Clone Behavior 90/100 · 10%
Canary Integrity 95/100 · 10%
Behavioral Reasoning 75/100 · 5%

Findings (5)

MEDIUM Skill instructs agent to execute 'whoop openclaw install-skill --force' -20

SKILL.md includes an optional but explicitly documented instruction for the agent to run 'whoop openclaw install-skill --force' after installing the npm CLI. This delegates further installation decisions to the npm package binary itself, which was not audited in this scan. The command could download and write additional files, modify agent configuration, or execute arbitrary code bundled in the npm package, all under the guise of a routine skill setup step.

LOW Skill directs agent to globally install unaudited npm package -8

SKILL.md instructs the agent to run 'npm install -g @andreasnlarsen/[email protected]'. While pinned to a specific version, the npm package itself was not the subject of this audit. A global npm install executes with the user's full filesystem and process permissions, and the package's own scripts, bundled executables, and runtime logic are out of scope for this SKILL.md-only review.

LOW Version mismatch between _meta.json (0.1.6) and SKILL.md install pin (0.1.3) -5

The skill's _meta.json declares the published version as 0.1.6, but SKILL.md instructs installation of npm package version 0.1.3. This discrepancy means the SKILL.md behavior may be deliberately pinned to an older version of the npm package, potentially one with different security properties than the current release, or it may indicate an update was shipped without aligning the install instructions.

INFO Canary credential files accessed — attributed to audit framework baseline scans 0

Inotify and auditd records show reads of .env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, and GCloud credentials at 04:35:07 (audit IDs 262-267) and 04:35:29 (audit IDs 1421-1426). Both access clusters occur in bulk at identical sub-millisecond timestamps and align precisely with the start and end of the monitoring session, strongly indicating the Oathe audit framework's own pre/post integrity scanning. The canary integrity report independently confirms no exfiltration. No evidence links these accesses to the skill installation process.

INFO Skill requires OAuth client secret as environment variable 0

The skill declares WHOOP_CLIENT_SECRET as its primaryEnv and also requires WHOOP_CLIENT_ID and WHOOP_REDIRECT_URI. These are OAuth credentials. SKILL.md explicitly instructs the agent never to print these or ask users to paste them into chat, which is good hygiene. However, agents with broad shell access could inadvertently expose these via shell introspection commands (e.g., env, printenv) unless additional sandboxing is applied.