Is borahm/whoop-morning safe?
https://github.com/openclaw/skills/tree/main/skills/borahm/whoop-morning
The whoop-morning skill is a legitimate WHOOP fitness tracker integration with no evidence of prompt injection, malicious install-time behavior, or canary file compromise. The most significant concern is that the core executable scripts (bin/whoop-auth, bin/whoop-morning) described in SKILL.md are absent from the installed package, leaving the bulk of the implementation unaudited; the only inspectable code, lib/tokens.js, is clean OAuth token-caching utility with no dangerous operations. The skill also requires three sensitive WHOOP OAuth credentials stored in a user's .env file, representing a credential-concentration risk if the agent is compromised or combined with a data-exfiltration skill.
Category Scores
Findings (8)
MEDIUM Core executable scripts absent from installed package -16 ▶
SKILL.md instructs users to run bin/whoop-auth and bin/whoop-morning, but neither script exists in the installed package. The OAuth token exchange, WHOOP API calls, and suggestion generation all occur in these unaudited scripts. The audit can only verify lib/tokens.js and SKILL.md, which together represent only the token-caching utility and documentation — not the full implementation.
LOW Three sensitive WHOOP OAuth credentials required -15 ▶
The skill declares WHOOP_CLIENT_ID, WHOOP_CLIENT_SECRET, and WHOOP_REFRESH_TOKEN as required environment variables. These long-lived credentials grant persistent, renewable access to the user's WHOOP health data. The SKILL.md instructs storing them in ~/.clawdbot/.env, a file readable by the agent with filesystem tool access. If exfiltrated, an attacker could refresh tokens indefinitely and read health data without further user interaction.
LOW Personal health data injected into agent context -12 ▶
The skill fetches recovery scores, sleep performance data, and strain/cycle metrics from the WHOOP API and places this sensitive personal health information into the agent's working context as input for generating suggestions. This data is available to any subsequent tool calls or skills in the same agent session.
LOW Hardcoded absolute paths assume author's machine layout -7 ▶
SKILL.md setup instructions reference binary scripts at /home/claw/clawd/skills/whoop-morning/bin/, an absolute path specific to the skill author's machine. These commands will fail verbatim on any other installation. An agent attempting to execute setup instructions literally may attempt to resolve, create, or navigate to these non-existent paths.
LOW Author-machine paths in setup instructions may confuse agent execution -7 ▶
An agent following SKILL.md setup steps literally would attempt to run binaries at /home/claw/clawd/ paths that do not exist on the user's system. This could cause the agent to hallucinate alternative paths, search the filesystem, or take unintended actions to resolve the broken command.
LOW OAuth access tokens written to plaintext JSON cache -5 ▶
lib/tokens.js writes WHOOP OAuth access tokens to ~/.cache/whoop-morning/tokens.json as plaintext JSON. Any local process or user with read access to the home directory can extract the current access token without requiring the client secret.
INFO Installation network traffic limited to GitHub (140.82.121.3:443) -4 ▶
During sparse-checkout installation, the only external TCP connection initiated was to GitHub's IP (140.82.121.3:443) by the git-remote-https process. No connections to credential-harvesting endpoints, attacker infrastructure, or domains other than github.com were observed.
INFO Canary file accesses attributable to oathe audit system, not skill 0 ▶
inotify and auditd logs show accesses to .env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, and gcloud credentials at two points: ts=1771735967.672 (audit system initialization, before git clone at ts=1771735973) and ts=1771735987.803 (post-analysis canary verification). No canary file accesses occurred in the window when the skill was being installed or analyzed. All canary files confirmed intact.