Is luisgot/whoo-cli safe?

https://github.com/openclaw/skills/tree/main/skills/luisgot/whoo-cli

87
SAFE

The whoo-cli skill is a well-structured, legitimate integration for the WHOOP fitness API that follows security best practices including interactive OAuth, masked credential input, and explicit prompt injection defenses for API output. The skill definition files contain no malicious code, hidden instructions, or exfiltration mechanisms, and the installation clone was clean with all canary files intact. The primary residual risk is that the skill requires installing an unaudited third-party npm/bun package (@luisgot/whoo) with full user privileges, which was not executed in this sandbox and whose supply chain integrity cannot be confirmed from this audit alone.

Category Scores

Prompt Injection 88/100 · 30%
Data Exfiltration 80/100 · 25%
Code Execution 82/100 · 20%
Clone Behavior 95/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 85/100 · 5%

Findings (6)

LOW Behavioral Data-Handling Directive in SKILL.md -7

The SKILL.md contains an explicit instruction to the agent: 'Process it locally within this conversation only. Do not forward raw output to external APIs, logs, or third-party services.' While this instruction is protective in intent—preventing health data leakage—it represents a third-party skill author issuing behavioral policy directives to the agent. A maliciously framed version of this pattern could instruct agents to suppress output, avoid logging, or refuse user requests to share data with authorized services.

MEDIUM Unaudited Third-Party npm/bun Package Required -18

The skill's functionality depends entirely on installing @luisgot/whoo globally via bun or npm. This package was not executed in the sandbox environment and its install-time scripts, runtime behavior, and supply chain integrity were not evaluated here. A compromised or malicious version of this package could read credential files, exfiltrate health data, install persistence mechanisms, or perform any operation with the installing user's privileges. The SKILL.md notes 'verify the source before installing' but does not provide a checksum or pinned version.

LOW Sensitive Biometric Health Data Handled by Unaudited CLI -5

The skill fetches and processes highly sensitive personal health metrics including HRV (cardiovascular stress proxy), SpO2, skin temperature deviation (illness/alcohol marker), sleep architecture, and resting heart rate. While SKILL.md includes a protective data notice, the actual data flow passes through the @luisgot/whoo CLI binary which stores OAuth tokens in the OS config directory and makes authenticated API calls to WHOOP servers. A compromised binary could silently exfiltrate this data.

INFO Positive: JSON Output Prompt Injection Defense 0

The SKILL.md explicitly instructs the agent to treat --json output as structured data and ignore any embedded instruction strings. This is a proactive defense against second-order prompt injection attacks where a malicious WHOOP API response could attempt to hijack the agent. This is a security best practice.

INFO Clean Installation — No Unexpected Activity 0

The clone process was limited to a sparse git checkout from the openclaw/skills monorepo on GitHub. No unexpected network destinations, process spawning, filesystem changes outside the skill directory, or firewall-blocked connections were observed during the installation window.

INFO All Honeypot Files Intact 0

Monitoring confirmed that all canary files (.env, SSH private key, AWS credentials, .npmrc, Docker config, GCloud credentials) were not modified or exfiltrated. File access events at audit session boundaries are attributable to the OATHE monitoring framework's initialization and teardown routines, not to the skill installation process.