whoop-guru Security Report — Trusted | ClawSafe

8 /100

whoop-guru

WHOOP AI Fitness Coach - LLM-powered personalized training plans for running, strength, and recovery

WHOOP health management skill with legitimate OAuth-based WHOOP integration and optional LLM coaching. No malicious behavior, data exfiltration, or credential theft detected. All functionality is properly documented and operates as a standard health data aggregator.

Skill Namewhoop-guru

Duration61.8s

Enginepi

✓

Safe to install

Skill is safe to use. Ensure WHOOP OAuth credentials and LLM API keys remain protected. Monitor for any unexpected network activity to third-party IPs beyond WHOOP API and configured LLM endpoints.

Findings 3 items

Severity	Finding	Location
Low	Push scripts use hardcoded paths push-morning.py, push-evening.py, push-checkin.py hardcode /root/.openclaw/workspace-healthgao/skill/whoop-guru paths instead of using dynamic detection `sys.path.insert(0, "/root/.openclaw/workspace-healthgao/skill/whoop-guru")` → Use os.path.dirname(os.path.abspath(__file__)) for portable paths	`scripts/push-morning.py:16`
Info	Version history notes shell injection fix SKILL.md v8.2.4 release notes mention fixing os.system shell injection vulnerability - confirms active security maintenance `v8.2.4 (2026-03-29) - 安全：修复 os.system shell 注入漏洞` → No action needed - vulnerability was already patched	`SKILL.md:90`
Info	WHOOP_REFRESH_TOKEN documentation inconsistency SKILL.md mentions WHOOP_REFRESH_TOKEN in credentials.env file, but _meta.json correctly states OAuth auto-obtains tokens. The refresh token is used by lib/whoop-fetcher.sh as an alternative credential method `WHOOP_REFRESH_TOKEN` → Clarify in SKILL.md that refresh token is optional and only used with whoop-fetcher.sh	`lib/whoop-fetcher.sh:13`

Resource	Declared	Inferred	Status	Evidence
Network	`READ`	`READ`	✓ Aligned	Scripts only call WHOOP API (api.prod.whoop.com) and user-configured LLM endpoin…
Filesystem	`WRITE`	`WRITE`	✓ Aligned	Writes to ~/.clawdbot/ and data/ directories as documented
Environment	`READ`	`READ`	✓ Aligned	Reads OPENCLAW_WORKSPACE, WHOOP_DATA_DIR, WHOOP_SKILL_DIR
Shell	`WRITE`	`WRITE`	✓ Aligned	whoop-guru.py:44-47 uses subprocess.run() for health_score.py and enhanced_repor…
Skill Invoke	`NONE`	`NONE`	—	No cross-skill invocation detected
Clipboard	`NONE`	`NONE`	—	No clipboard access

21 findings

🔗

Medium External URL 外部 URL

https://developer.whoop.com

SKILL.md:144

🔗

Medium External URL 外部 URL

https://clawhub.com/skills/whoop-guru

_meta.json:8

🔗

Medium External URL 外部 URL

https://api.prod.whoop.com/oauth/oauth2/auth?response_type=code&client_id=YOUR_CLIENT_ID&redirect_uri=https://localhost:...

docs/whoop_api_guide.md:17

🔗

Medium External URL 外部 URL

https://api.prod.whoop.com/oauth/oauth2/token

docs/whoop_api_guide.md:32

🔗

Medium External URL 外部 URL

https://api.minimax.chat/v1/text/chatcompletion_pro

lib/llm.py:41

🔗

Medium External URL 外部 URL

https://platform.minimaxi.com

lib/llm.py:48

🔗

Medium External URL 外部 URL

https://platform.openai.com

lib/llm.py:61

🔗

Medium External URL 外部 URL

https://console.anthropic.com

lib/llm.py:74

🔗

Medium External URL 外部 URL

https://open.bigmodel.cn/api/paas/v4/chat/completions

lib/llm.py:80

🔗

Medium External URL 外部 URL

https://open.bigmodel.cn

lib/llm.py:87

🔗

Medium External URL 外部 URL

https://api.moonshot.cn/v1/chat/completions

lib/llm.py:93

🔗

Medium External URL 外部 URL

https://platform.moonshot.cn

lib/llm.py:100

🔗

Medium External URL 外部 URL

https://dashscope.aliyuncs.com/api/v1/services/aigc/text-generation/generation

lib/llm.py:106

🔗

Medium External URL 外部 URL

https://dashscope.console.aliyun.com

lib/llm.py:113

🔗

Medium External URL 外部 URL

https://api.deepseek.com/v1/chat/completions

lib/llm.py:119

🔗

Medium External URL 外部 URL

https://platform.deepseek.com

lib/llm.py:125

🔗

Medium External URL 外部 URL

https://api.siliconflow.cn/v1/chat/completions

lib/llm.py:131

🔗

Medium External URL 外部 URL

https://cloud.siliconflow.cn

lib/llm.py:138

🔗

Medium External URL 外部 URL

https://api.prod.whoop.com/developer/v2/$

lib/whoop-fetcher.sh:55

🔗

Medium External URL 外部 URL

https://api.prod.whoop.com/developer/v2

references/api.md:3

🔗

Medium External URL 外部 URL

https://api.prod.whoop.com/oauth/oauth2/auth

references/api.md:10

File Tree

137 files · 505.8 KB · 14986 lines

Python 44f · 12204L JSON 82f · 1299L Markdown 7f · 880L Shell 4f · 603L

├─ ▾ 📁 data

│ ├─ ▾ 📁 config

│ │ ├─ 📋 llm_config.json JSON 1L · 3 B

│ │ └─ 📝 README.md Markdown 7L · 448 B

│ ├─ ▾ 📁 logs

│ │ ├─ 📋 checkin_push.json JSON 4L · 2.6 KB

│ │ ├─ 📋 checkins_default.json JSON 219L · 6.1 KB

│ │ ├─ 📋 checkins_dongyi.json JSON 12L · 284 B

│ │ ├─ 📋 evening_push.json JSON 4L · 2.0 KB

│ │ ├─ 📋 morning_push.json JSON 4L · 2.2 KB

│ │ └─ 📋 running_default.json JSON 171L · 4.5 KB

│ ├─ ▾ 📁 processed

│ │ ├─ 📋 health_advisor.json JSON 35L · 801 B

│ │ └─ 📋 latest.json JSON 7L · 126 B

│ └─ ▾ 📁 profiles

│ ├─ 📋 goals_simulation_test_1775224228.json JSON 14L · 347 B

│ ├─ 📋 goals_test_user_1775190014.871542.json JSON 1L · 2 B

│ ├─ 📋 goals_test_user_1775190014.873303.json JSON 14L · 374 B

│ ├─ 📋 goals_test_user_1775190020.593088.json JSON 1L · 2 B

│ ├─ 📋 goals_test_user_1775190020.594723.json JSON 14L · 374 B

│ ├─ 📋 goals_test_user_1775190026.709988.json JSON 1L · 2 B

│ ├─ 📋 goals_test_user_1775190026.711578.json JSON 14L · 374 B

│ ├─ 📋 goals_test_user_1775190094.688879.json JSON 1L · 2 B

│ ├─ 📋 goals_test_user_1775190094.690484.json JSON 14L · 374 B

│ ├─ 📋 goals_test_user_1775190128.971156.json JSON 1L · 2 B

│ ├─ 📋 goals_test_user_1775190128.972612.json JSON 14L · 374 B

│ ├─ 📋 goals_test_user_1775223612.535238.json JSON 1L · 2 B

│ ├─ 📋 goals_test_user_1775223612.540519.json JSON 14L · 374 B

│ ├─ 📋 goals_test_user_1775223850.417576.json JSON 1L · 2 B

│ ├─ 📋 goals_test_user_1775223850.422325.json JSON 14L · 374 B

│ ├─ 📋 goals_test_user_1775223861.873993.json JSON 1L · 2 B

│ ├─ 📋 goals_test_user_1775223861.878493.json JSON 14L · 374 B

│ ├─ 📋 goals_test_user_1775224412.545972.json JSON 1L · 2 B

│ ├─ 📋 goals_test_user_1775224412.550118.json JSON 14L · 374 B

│ ├─ 📋 goals_test_user_1775224436.293886.json JSON 1L · 2 B

│ ├─ 📋 goals_test_user_1775224436.29769.json JSON 14L · 373 B

│ ├─ 📋 goals_test_user_1775224990.821541.json JSON 1L · 2 B

│ ├─ 📋 goals_test_user_1775224990.826086.json JSON 14L · 374 B

│ ├─ 📋 goals_test_user_1775225488.269679.json JSON 1L · 2 B

│ ├─ 📋 goals_test_user_1775225488.273868.json JSON 14L · 374 B

│ ├─ 📋 marathon_goals_dongyi.json JSON 22L · 536 B

│ ├─ 📋 marathon_goals_simulation_test_1775224228.json JSON 22L · 556 B

│ ├─ 📋 marathon_goals_test_marathon_user.json JSON 22L · 548 B

│ ├─ 📋 marathon_goals_test_user_1775223612.77021.json JSON 1L · 2 B

│ ├─ 📋 marathon_goals_test_user_1775223612.794712.json JSON 1L · 2 B

│ ├─ 📋 marathon_goals_test_user_1775223850.425143.json JSON 22L · 557 B

│ ├─ 📋 marathon_goals_test_user_1775223850.449259.json JSON 1L · 2 B

│ ├─ 📋 marathon_goals_test_user_1775223850.4524.json JSON 19L · 485 B

│ ├─ 📋 marathon_goals_test_user_1775223850.454387.json JSON 22L · 553 B

│ ├─ 📋 marathon_goals_test_user_1775223850.456401.json JSON 19L · 487 B

│ ├─ 📋 marathon_goals_test_user_1775223850.603095.json JSON 1L · 2 B

│ ├─ 📋 marathon_goals_test_user_1775223850.620433.json JSON 1L · 2 B

│ ├─ 📋 marathon_goals_test_user_1775223861.881167.json JSON 22L · 557 B

│ ├─ 📋 marathon_goals_test_user_1775223861.883149.json JSON 1L · 2 B

│ ├─ 📋 marathon_goals_test_user_1775223861.885892.json JSON 19L · 487 B

│ ├─ 📋 marathon_goals_test_user_1775223861.887832.json JSON 22L · 553 B

│ ├─ 📋 marathon_goals_test_user_1775223861.88967.json JSON 19L · 486 B

│ ├─ 📋 marathon_goals_test_user_1775223862.019138.json JSON 1L · 2 B

│ ├─ 📋 marathon_goals_test_user_1775223862.033213.json JSON 1L · 2 B

│ ├─ 📋 marathon_goals_test_user_1775224412.55296.json JSON 22L · 556 B

│ ├─ 📋 marathon_goals_test_user_1775224412.554829.json JSON 1L · 2 B

│ ├─ 📋 marathon_goals_test_user_1775224412.557506.json JSON 19L · 487 B

│ ├─ 📋 marathon_goals_test_user_1775224412.559284.json JSON 22L · 553 B

│ ├─ 📋 marathon_goals_test_user_1775224412.561096.json JSON 19L · 487 B

│ ├─ 📋 marathon_goals_test_user_1775224412.687668.json JSON 1L · 2 B

│ ├─ 📋 marathon_goals_test_user_1775224412.701859.json JSON 1L · 2 B

│ ├─ 📋 marathon_goals_test_user_1775224436.30032.json JSON 22L · 556 B

│ ├─ 📋 marathon_goals_test_user_1775224436.302031.json JSON 1L · 2 B

│ ├─ 📋 marathon_goals_test_user_1775224436.304375.json JSON 19L · 487 B

│ ├─ 📋 marathon_goals_test_user_1775224436.306063.json JSON 22L · 553 B

│ ├─ 📋 marathon_goals_test_user_1775224436.309536.json JSON 19L · 487 B

│ ├─ 📋 marathon_goals_test_user_1775224436.431787.json JSON 1L · 2 B

│ ├─ 📋 marathon_goals_test_user_1775224436.444663.json JSON 1L · 2 B

│ ├─ 📋 marathon_goals_test_user_1775224990.829856.json JSON 22L · 557 B

│ ├─ 📋 marathon_goals_test_user_1775224990.83249.json JSON 1L · 2 B

│ ├─ 📋 marathon_goals_test_user_1775224990.834953.json JSON 19L · 487 B

│ ├─ 📋 marathon_goals_test_user_1775224990.836773.json JSON 22L · 553 B

│ ├─ 📋 marathon_goals_test_user_1775224990.838613.json JSON 19L · 487 B

│ ├─ 📋 marathon_goals_test_user_1775224990.965365.json JSON 1L · 2 B

│ ├─ 📋 marathon_goals_test_user_1775224990.98028.json JSON 1L · 2 B

│ ├─ 📋 marathon_goals_test_user_1775225488.276726.json JSON 22L · 557 B

│ ├─ 📋 marathon_goals_test_user_1775225488.278449.json JSON 1L · 2 B

│ ├─ 📋 marathon_goals_test_user_1775225488.281118.json JSON 19L · 487 B

│ ├─ 📋 marathon_goals_test_user_1775225488.282935.json JSON 22L · 553 B

│ ├─ 📋 marathon_goals_test_user_1775225488.284771.json JSON 19L · 487 B

│ ├─ 📋 marathon_goals_test_user_1775225488.417398.json JSON 1L · 2 B

│ └─ 📋 marathon_goals_test_user_1775225488.436721.json JSON 1L · 2 B

├─ ▾ 📁 docs

│ └─ 📝 whoop_api_guide.md Markdown 66L · 1.3 KB

├─ ▾ 📁 lib

│ ├─ ▾ 📁 coach

│ │ ├─ 🐍 __init__.py Python 0 B

│ │ └─ 🐍 core.py Python 261L · 10.0 KB

│ ├─ ▾ 📁 ml

│ │ ├─ 🐍 __init__.py Python 22L · 446 B

│ │ ├─ 🐍 predictor.py Python 335L · 10.9 KB

│ │ └─ 🐍 recovery_model.py Python 312L · 9.6 KB

│ ├─ ▾ 📁 prompts

│ │ ├─ 🐍 __init__.py Python 67L · 1.6 KB

│ │ ├─ 🐍 injury.py Python 72L · 1.7 KB

│ │ ├─ 🐍 recovery.py Python 73L · 1.6 KB

│ │ ├─ 🐍 training.py Python 163L · 4.2 KB

│ │ └─ 🐍 weekly.py Python 85L · 1.6 KB

│ ├─ ▾ 📁 reports

│ │ └─ 🐍 weekly.py Python 175L · 6.1 KB

│ ├─ 🐍 __init__.py Python 0 B

│ ├─ 🐍 cli.py Python 96L · 3.0 KB

│ ├─ 🐍 coach_interface.py Python 370L · 10.2 KB

│ ├─ 🐍 comprehensive_analysis.py Python 133L · 4.3 KB

│ ├─ 🔧 daily-report.sh Shell 239L · 10.7 KB

│ ├─ 🐍 data_cleaner.py Python 147L · 5.0 KB

│ ├─ 🐍 data_processor.py Python 157L · 4.8 KB

│ ├─ 🔧 detailed-report.sh Shell 249L · 11.5 KB

│ ├─ 🐍 dynamic_planner.py Python 273L · 8.9 KB

│ ├─ 🐍 enhanced_report.py Python 215L · 7.2 KB

│ ├─ 🐍 enhanced_reports.py Python 710L · 27.1 KB

│ ├─ 🐍 feedback_learning.py Python 116L · 3.8 KB

│ ├─ 🐍 goals_marathon.py Python 260L · 8.1 KB

│ ├─ 🐍 goals.py Python 702L · 24.0 KB

│ ├─ 🐍 health_advisor.py Python 232L · 7.9 KB

│ ├─ 🐍 health_score.py Python 77L · 2.7 KB

│ ├─ 🐍 llm.py Python 793L · 27.7 KB

│ ├─ 🐍 marathon_analyzer.py Python 637L · 22.3 KB

│ ├─ 🐍 marathon_commands.py Python 527L · 16.9 KB

│ ├─ 🐍 ml_predictor.py Python 136L · 4.3 KB

│ ├─ 🐍 needs_analyzer.py Python 699L · 24.8 KB

│ ├─ 🐍 notifications.py Python 89L · 2.7 KB

│ ├─ 🐍 plan_generator.py Python 318L · 8.9 KB

│ ├─ 🐍 pusher.py Python 667L · 30.1 KB

│ ├─ 🐍 sync.py Python 177L · 5.8 KB

│ ├─ 🐍 tracker.py Python 768L · 25.3 KB

│ ├─ 🐍 user_profile.py Python 133L · 4.0 KB

│ └─ 🔧 whoop-fetcher.sh Shell 75L · 2.2 KB

├─ ▾ 📁 references

│ ├─ 📝 api.md Markdown 47L · 2.1 KB

│ └─ 📝 health_analysis.md Markdown 212L · 7.8 KB

├─ ▾ 📁 scripts

│ ├─ 🔧 coach-push.sh Shell 40L · 965 B

│ ├─ 🐍 push-checkin.py Python 48L · 1.0 KB

│ ├─ 🐍 push-evening.py Python 49L · 1.0 KB

│ ├─ 🐍 push-morning.py Python 49L · 1.1 KB

│ ├─ 🐍 whoop_auth.py Python 303L · 9.5 KB

│ ├─ 🐍 whoop_chart.py Python 890L · 33.1 KB

│ └─ 🐍 whoop_data.py Python 294L · 9.3 KB

├─ ▾ 📁 tests

│ └─ 🐍 test_all.py Python 521L · 18.3 KB

├─ 📋 _meta.json JSON 70L · 2.8 KB

├─ 📝 CLAWHUB.md Markdown 166L · 4.9 KB

├─ 📝 icon_prompt.md Markdown 37L · 1.1 KB

├─ 📝 SKILL.md Markdown 345L · 10.2 KB

└─ 🐍 whoop-guru.py Python 53L · 1.8 KB

Dependencies 3 items

Package	Version	Source	Known Vulns	Notes
`requests`	`*`	pip	No	Version not pinned but stdlib-based; low supply chain risk for health data tool
`pandas`	`*`	pip	No	Version not pinned
`matplotlib`	`*`	pip	No	Version not pinned

Security Positives

✓ OAuth flow uses proper state parameter and PKCE-style CSRF protection

✓ Token file permissions set to 0o600 after creation

✓ All network calls target legitimate WHOOP API endpoints

✓ LLM API key stored locally only, not transmitted elsewhere

✓ Shell injection vulnerability (os.system) was patched in v8.2.4

✓ Clear privacy statement in SKILL.md explaining data flow

✓ Credentials stored in ~/.clawdbot/ separate from skill data

✓ No base64-encoded payloads piped to shell

✓ No direct IP network requests to unknown servers

✓ No credential harvesting from ~/.ssh, ~/.aws, or .env

✓ No hidden instructions in HTML comments

Scan Report

Findings 3 items

File Tree

Dependencies 3 items

Security Positives