Oathe Security Badge

Is pfrederiksen/whoop-health-analysis safe?

https://github.com/pfrederiksen/whoop-health-analysis

95
SAFE

This Whoop health analysis skill appears to be a legitimate integration for accessing and analyzing Whoop wearable device data. The skill implements standard OAuth authentication, makes API calls to official Whoop endpoints, and generates health visualizations. While it contains executable code and communicates with external APIs, these behaviors align with its stated functionality and show no signs of malicious intent.

Category Scores

Prompt Injection 100/100 · 30%
Data Exfiltration 95/100 · 25%
Code Execution 85/100 · 20%
Clone Behavior 100/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 95/100 · 5%

Findings (4)

LOW External API Communication -5

The skill makes legitimate API calls to Whoop's official endpoints for health data retrieval as part of its core functionality.

MEDIUM Executable Python Scripts -10

The skill contains executable Python scripts that implement OAuth authentication, data fetching, and chart generation functionality.

LOW Local HTTP Server -5

The OAuth authentication flow starts a local HTTP server on port 9876 for OAuth callback handling, which is standard practice but creates temporary attack surface.

INFO OAuth Scope Access -5

The skill requests comprehensive Whoop API access scopes including recovery, sleep, workout, and profile data. While legitimate for health analysis, represents broad data access.