Is koala73/whoopskill safe?

https://github.com/openclaw/skills/tree/main/skills/koala73/whoopskill

92
SAFE

whoopskill is a legitimate TypeScript CLI tool that fetches WHOOP health metrics via the official WHOOP API v2 using a standard OAuth2 flow. The source code is clean, all network calls are directed exclusively to api.prod.whoop.com, and no prompt injection, malicious install scripts, git hooks, or exfiltration logic was detected. The primary concerns are non-malicious: sensitive biometric PII (HRV, sleep, SpO2) enters the agent's conversation context, and OAuth tokens stored at ~/.whoop-cli/tokens.json are readable by co-located processes.

Category Scores

Prompt Injection 96/100 · 30%
Data Exfiltration 87/100 · 25%
Code Execution 93/100 · 20%
Clone Behavior 91/100 · 10%
Canary Integrity 98/100 · 10%
Behavioral Reasoning 83/100 · 5%

Findings (6)

LOW PII exposure via profile and health endpoints -8

The profile endpoint returns user_id, email, first_name, and last_name. When invoked by an agent, this PII is written to stdout and captured in the agent's conversation context, where it may persist in logs or be shared with downstream LLM calls.

LOW OAuth token storage readable by co-located processes -5

Access and refresh tokens are stored in ~/.whoop-cli/tokens.json with mode 0600. Any process running as the same OS user (including other agent skills) can read these tokens and make authenticated WHOOP API calls on the user's behalf.

LOW Biometric health data handled in agent conversation context -12

The skill surfaces highly sensitive health metrics (HRV, sleep stages, SpO2, skin temperature, resting heart rate) into the agent's working context. If the agent summarizes or relays this data, it may be logged by the LLM provider or inadvertently disclosed.

LOW prepare build script runs tsc on npm install -7

The package.json prepare lifecycle hook runs npm run build (tsc). During global npm install this compiles TypeScript source. The compilation is from audited local source files only and does not fetch remote code, but it does execute the TypeScript compiler as a side effect of installation.

INFO Skill fetched from monorepo sparse checkout 0

The install mechanism uses git sparse-checkout to extract only the skills/koala73/whoopskill subdirectory from the openclaw/skills monorepo. This is the expected Oathe install pattern and carries no additional risk.

INFO OAuth client_secret transmitted to WHOOP token endpoint -5

During the OAuth token exchange and refresh flows, WHOOP_CLIENT_SECRET is included in POST body parameters to https://api.prod.whoop.com/oauth/oauth2/token. This is standard OAuth2 confidential client behavior and the destination is the legitimate WHOOP API, but the secret is transmitted over the network.