中文 EN

扫描报告

扫描新文件

可信 — 风险评分 8/100
上次扫描:2 天前 重新扫描
8 /100
whoop-guru
WHOOP AI Fitness Coach - LLM-powered personalized training plans for running, strength, and recovery
WHOOP health management skill with legitimate OAuth-based WHOOP integration and optional LLM coaching. No malicious behavior, data exfiltration, or credential theft detected. All functionality is properly documented and operates as a standard health data aggregator.
技能名称whoop-guru
分析耗时61.8s
引擎pi
可以安装
Skill is safe to use. Ensure WHOOP OAuth credentials and LLM API keys remain protected. Monitor for any unexpected network activity to third-party IPs beyond WHOOP API and configured LLM endpoints.

安全发现 3 项

严重性 安全发现 位置
低危
Push scripts use hardcoded paths
push-morning.py, push-evening.py, push-checkin.py hardcode /root/.openclaw/workspace-healthgao/skill/whoop-guru paths instead of using dynamic detection
sys.path.insert(0, "/root/.openclaw/workspace-healthgao/skill/whoop-guru")
→ Use os.path.dirname(os.path.abspath(__file__)) for portable paths
 scripts/push-morning.py:16
提示
Version history notes shell injection fix
SKILL.md v8.2.4 release notes mention fixing os.system shell injection vulnerability - confirms active security maintenance
v8.2.4 (2026-03-29) - 安全:修复 os.system shell 注入漏洞
→ No action needed - vulnerability was already patched
 SKILL.md:90
提示
WHOOP_REFRESH_TOKEN documentation inconsistency
SKILL.md mentions WHOOP_REFRESH_TOKEN in credentials.env file, but _meta.json correctly states OAuth auto-obtains tokens. The refresh token is used by lib/whoop-fetcher.sh as an alternative credential method
WHOOP_REFRESH_TOKEN
→ Clarify in SKILL.md that refresh token is optional and only used with whoop-fetcher.sh
 lib/whoop-fetcher.sh:13
资源类型声明权限推断权限状态证据
网络访问 READ READ ✓ 一致 Scripts only call WHOOP API (api.prod.whoop.com) and user-configured LLM endpoin…
文件系统 WRITE WRITE ✓ 一致 Writes to ~/.clawdbot/ and data/ directories as documented
环境变量 READ READ ✓ 一致 Reads OPENCLAW_WORKSPACE, WHOOP_DATA_DIR, WHOOP_SKILL_DIR
命令执行 WRITE WRITE ✓ 一致 whoop-guru.py:44-47 uses subprocess.run() for health_score.py and enhanced_repor…
技能调用 NONE NONE No cross-skill invocation detected
剪贴板 NONE NONE No clipboard access
21 项发现
🔗
中危 外部 URL 外部 URL
https://developer.whoop.com
SKILL.md:144
🔗
中危 外部 URL 外部 URL
https://clawhub.com/skills/whoop-guru
_meta.json:8
🔗
中危 外部 URL 外部 URL
https://api.prod.whoop.com/oauth/oauth2/auth?response_type=code&client_id=YOUR_CLIENT_ID&redirect_uri=https://localhost:...
docs/whoop_api_guide.md:17
🔗
中危 外部 URL 外部 URL
https://api.prod.whoop.com/oauth/oauth2/token
docs/whoop_api_guide.md:32
🔗
中危 外部 URL 外部 URL
https://api.minimax.chat/v1/text/chatcompletion_pro
lib/llm.py:41
🔗
中危 外部 URL 外部 URL
https://platform.minimaxi.com
lib/llm.py:48
🔗
中危 外部 URL 外部 URL
https://platform.openai.com
lib/llm.py:61
🔗
中危 外部 URL 外部 URL
https://console.anthropic.com
lib/llm.py:74
🔗
中危 外部 URL 外部 URL
https://open.bigmodel.cn/api/paas/v4/chat/completions
lib/llm.py:80
🔗
中危 外部 URL 外部 URL
https://open.bigmodel.cn
lib/llm.py:87
🔗
中危 外部 URL 外部 URL
https://api.moonshot.cn/v1/chat/completions
lib/llm.py:93
🔗
中危 外部 URL 外部 URL
https://platform.moonshot.cn
lib/llm.py:100
🔗
中危 外部 URL 外部 URL
https://dashscope.aliyuncs.com/api/v1/services/aigc/text-generation/generation
lib/llm.py:106
🔗
中危 外部 URL 外部 URL
https://dashscope.console.aliyun.com
lib/llm.py:113
🔗
中危 外部 URL 外部 URL
https://api.deepseek.com/v1/chat/completions
lib/llm.py:119
🔗
中危 外部 URL 外部 URL
https://platform.deepseek.com
lib/llm.py:125
🔗
中危 外部 URL 外部 URL
https://api.siliconflow.cn/v1/chat/completions
lib/llm.py:131
🔗
中危 外部 URL 外部 URL
https://cloud.siliconflow.cn
lib/llm.py:138
🔗
中危 外部 URL 外部 URL
https://api.prod.whoop.com/developer/v2/$
lib/whoop-fetcher.sh:55
🔗
中危 外部 URL 外部 URL
https://api.prod.whoop.com/developer/v2
references/api.md:3
🔗
中危 外部 URL 外部 URL
https://api.prod.whoop.com/oauth/oauth2/auth
references/api.md:10

目录结构

137 文件 · 505.8 KB · 14986 行
Python 44f · 12204L JSON 82f · 1299L Markdown 7f · 880L Shell 4f · 603L
├─ 📁 data
│ ├─ 📁 config
│ │ ├─ 📋 llm_config.json JSON 1L · 3 B
│ │ └─ 📝 README.md Markdown 7L · 448 B
│ ├─ 📁 logs
│ │ ├─ 📋 checkin_push.json JSON 4L · 2.6 KB
│ │ ├─ 📋 checkins_default.json JSON 219L · 6.1 KB
│ │ ├─ 📋 checkins_dongyi.json JSON 12L · 284 B
│ │ ├─ 📋 evening_push.json JSON 4L · 2.0 KB
│ │ ├─ 📋 morning_push.json JSON 4L · 2.2 KB
│ │ └─ 📋 running_default.json JSON 171L · 4.5 KB
│ ├─ 📁 processed
│ │ ├─ 📋 health_advisor.json JSON 35L · 801 B
│ │ └─ 📋 latest.json JSON 7L · 126 B
│ └─ 📁 profiles
│ ├─ 📋 goals_simulation_test_1775224228.json JSON 14L · 347 B
│ ├─ 📋 goals_test_user_1775190014.871542.json JSON 1L · 2 B
│ ├─ 📋 goals_test_user_1775190014.873303.json JSON 14L · 374 B
│ ├─ 📋 goals_test_user_1775190020.593088.json JSON 1L · 2 B
│ ├─ 📋 goals_test_user_1775190020.594723.json JSON 14L · 374 B
│ ├─ 📋 goals_test_user_1775190026.709988.json JSON 1L · 2 B
│ ├─ 📋 goals_test_user_1775190026.711578.json JSON 14L · 374 B
│ ├─ 📋 goals_test_user_1775190094.688879.json JSON 1L · 2 B
│ ├─ 📋 goals_test_user_1775190094.690484.json JSON 14L · 374 B
│ ├─ 📋 goals_test_user_1775190128.971156.json JSON 1L · 2 B
│ ├─ 📋 goals_test_user_1775190128.972612.json JSON 14L · 374 B
│ ├─ 📋 goals_test_user_1775223612.535238.json JSON 1L · 2 B
│ ├─ 📋 goals_test_user_1775223612.540519.json JSON 14L · 374 B
│ ├─ 📋 goals_test_user_1775223850.417576.json JSON 1L · 2 B
│ ├─ 📋 goals_test_user_1775223850.422325.json JSON 14L · 374 B
│ ├─ 📋 goals_test_user_1775223861.873993.json JSON 1L · 2 B
│ ├─ 📋 goals_test_user_1775223861.878493.json JSON 14L · 374 B
│ ├─ 📋 goals_test_user_1775224412.545972.json JSON 1L · 2 B
│ ├─ 📋 goals_test_user_1775224412.550118.json JSON 14L · 374 B
│ ├─ 📋 goals_test_user_1775224436.293886.json JSON 1L · 2 B
│ ├─ 📋 goals_test_user_1775224436.29769.json JSON 14L · 373 B
│ ├─ 📋 goals_test_user_1775224990.821541.json JSON 1L · 2 B
│ ├─ 📋 goals_test_user_1775224990.826086.json JSON 14L · 374 B
│ ├─ 📋 goals_test_user_1775225488.269679.json JSON 1L · 2 B
│ ├─ 📋 goals_test_user_1775225488.273868.json JSON 14L · 374 B
│ ├─ 📋 marathon_goals_dongyi.json JSON 22L · 536 B
│ ├─ 📋 marathon_goals_simulation_test_1775224228.json JSON 22L · 556 B
│ ├─ 📋 marathon_goals_test_marathon_user.json JSON 22L · 548 B
│ ├─ 📋 marathon_goals_test_user_1775223612.77021.json JSON 1L · 2 B
│ ├─ 📋 marathon_goals_test_user_1775223612.794712.json JSON 1L · 2 B
│ ├─ 📋 marathon_goals_test_user_1775223850.425143.json JSON 22L · 557 B
│ ├─ 📋 marathon_goals_test_user_1775223850.449259.json JSON 1L · 2 B
│ ├─ 📋 marathon_goals_test_user_1775223850.4524.json JSON 19L · 485 B
│ ├─ 📋 marathon_goals_test_user_1775223850.454387.json JSON 22L · 553 B
│ ├─ 📋 marathon_goals_test_user_1775223850.456401.json JSON 19L · 487 B
│ ├─ 📋 marathon_goals_test_user_1775223850.603095.json JSON 1L · 2 B
│ ├─ 📋 marathon_goals_test_user_1775223850.620433.json JSON 1L · 2 B
│ ├─ 📋 marathon_goals_test_user_1775223861.881167.json JSON 22L · 557 B
│ ├─ 📋 marathon_goals_test_user_1775223861.883149.json JSON 1L · 2 B
│ ├─ 📋 marathon_goals_test_user_1775223861.885892.json JSON 19L · 487 B
│ ├─ 📋 marathon_goals_test_user_1775223861.887832.json JSON 22L · 553 B
│ ├─ 📋 marathon_goals_test_user_1775223861.88967.json JSON 19L · 486 B
│ ├─ 📋 marathon_goals_test_user_1775223862.019138.json JSON 1L · 2 B
│ ├─ 📋 marathon_goals_test_user_1775223862.033213.json JSON 1L · 2 B
│ ├─ 📋 marathon_goals_test_user_1775224412.55296.json JSON 22L · 556 B
│ ├─ 📋 marathon_goals_test_user_1775224412.554829.json JSON 1L · 2 B
│ ├─ 📋 marathon_goals_test_user_1775224412.557506.json JSON 19L · 487 B
│ ├─ 📋 marathon_goals_test_user_1775224412.559284.json JSON 22L · 553 B
│ ├─ 📋 marathon_goals_test_user_1775224412.561096.json JSON 19L · 487 B
│ ├─ 📋 marathon_goals_test_user_1775224412.687668.json JSON 1L · 2 B
│ ├─ 📋 marathon_goals_test_user_1775224412.701859.json JSON 1L · 2 B
│ ├─ 📋 marathon_goals_test_user_1775224436.30032.json JSON 22L · 556 B
│ ├─ 📋 marathon_goals_test_user_1775224436.302031.json JSON 1L · 2 B
│ ├─ 📋 marathon_goals_test_user_1775224436.304375.json JSON 19L · 487 B
│ ├─ 📋 marathon_goals_test_user_1775224436.306063.json JSON 22L · 553 B
│ ├─ 📋 marathon_goals_test_user_1775224436.309536.json JSON 19L · 487 B
│ ├─ 📋 marathon_goals_test_user_1775224436.431787.json JSON 1L · 2 B
│ ├─ 📋 marathon_goals_test_user_1775224436.444663.json JSON 1L · 2 B
│ ├─ 📋 marathon_goals_test_user_1775224990.829856.json JSON 22L · 557 B
│ ├─ 📋 marathon_goals_test_user_1775224990.83249.json JSON 1L · 2 B
│ ├─ 📋 marathon_goals_test_user_1775224990.834953.json JSON 19L · 487 B
│ ├─ 📋 marathon_goals_test_user_1775224990.836773.json JSON 22L · 553 B
│ ├─ 📋 marathon_goals_test_user_1775224990.838613.json JSON 19L · 487 B
│ ├─ 📋 marathon_goals_test_user_1775224990.965365.json JSON 1L · 2 B
│ ├─ 📋 marathon_goals_test_user_1775224990.98028.json JSON 1L · 2 B
│ ├─ 📋 marathon_goals_test_user_1775225488.276726.json JSON 22L · 557 B
│ ├─ 📋 marathon_goals_test_user_1775225488.278449.json JSON 1L · 2 B
│ ├─ 📋 marathon_goals_test_user_1775225488.281118.json JSON 19L · 487 B
│ ├─ 📋 marathon_goals_test_user_1775225488.282935.json JSON 22L · 553 B
│ ├─ 📋 marathon_goals_test_user_1775225488.284771.json JSON 19L · 487 B
│ ├─ 📋 marathon_goals_test_user_1775225488.417398.json JSON 1L · 2 B
│ └─ 📋 marathon_goals_test_user_1775225488.436721.json JSON 1L · 2 B
├─ 📁 docs
│ └─ 📝 whoop_api_guide.md Markdown 66L · 1.3 KB
├─ 📁 lib
│ ├─ 📁 coach
│ │ ├─ 🐍 __init__.py Python 0 B
│ │ └─ 🐍 core.py Python 261L · 10.0 KB
│ ├─ 📁 ml
│ │ ├─ 🐍 __init__.py Python 22L · 446 B
│ │ ├─ 🐍 predictor.py Python 335L · 10.9 KB
│ │ └─ 🐍 recovery_model.py Python 312L · 9.6 KB
│ ├─ 📁 prompts
│ │ ├─ 🐍 __init__.py Python 67L · 1.6 KB
│ │ ├─ 🐍 injury.py Python 72L · 1.7 KB
│ │ ├─ 🐍 recovery.py Python 73L · 1.6 KB
│ │ ├─ 🐍 training.py Python 163L · 4.2 KB
│ │ └─ 🐍 weekly.py Python 85L · 1.6 KB
│ ├─ 📁 reports
│ │ └─ 🐍 weekly.py Python 175L · 6.1 KB
│ ├─ 🐍 __init__.py Python 0 B
│ ├─ 🐍 cli.py Python 96L · 3.0 KB
│ ├─ 🐍 coach_interface.py Python 370L · 10.2 KB
│ ├─ 🐍 comprehensive_analysis.py Python 133L · 4.3 KB
│ ├─ 🔧 daily-report.sh Shell 239L · 10.7 KB
│ ├─ 🐍 data_cleaner.py Python 147L · 5.0 KB
│ ├─ 🐍 data_processor.py Python 157L · 4.8 KB
│ ├─ 🔧 detailed-report.sh Shell 249L · 11.5 KB
│ ├─ 🐍 dynamic_planner.py Python 273L · 8.9 KB
│ ├─ 🐍 enhanced_report.py Python 215L · 7.2 KB
│ ├─ 🐍 enhanced_reports.py Python 710L · 27.1 KB
│ ├─ 🐍 feedback_learning.py Python 116L · 3.8 KB
│ ├─ 🐍 goals_marathon.py Python 260L · 8.1 KB
│ ├─ 🐍 goals.py Python 702L · 24.0 KB
│ ├─ 🐍 health_advisor.py Python 232L · 7.9 KB
│ ├─ 🐍 health_score.py Python 77L · 2.7 KB
│ ├─ 🐍 llm.py Python 793L · 27.7 KB
│ ├─ 🐍 marathon_analyzer.py Python 637L · 22.3 KB
│ ├─ 🐍 marathon_commands.py Python 527L · 16.9 KB
│ ├─ 🐍 ml_predictor.py Python 136L · 4.3 KB
│ ├─ 🐍 needs_analyzer.py Python 699L · 24.8 KB
│ ├─ 🐍 notifications.py Python 89L · 2.7 KB
│ ├─ 🐍 plan_generator.py Python 318L · 8.9 KB
│ ├─ 🐍 pusher.py Python 667L · 30.1 KB
│ ├─ 🐍 sync.py Python 177L · 5.8 KB
│ ├─ 🐍 tracker.py Python 768L · 25.3 KB
│ ├─ 🐍 user_profile.py Python 133L · 4.0 KB
│ └─ 🔧 whoop-fetcher.sh Shell 75L · 2.2 KB
├─ 📁 references
│ ├─ 📝 api.md Markdown 47L · 2.1 KB
│ └─ 📝 health_analysis.md Markdown 212L · 7.8 KB
├─ 📁 scripts
│ ├─ 🔧 coach-push.sh Shell 40L · 965 B
│ ├─ 🐍 push-checkin.py Python 48L · 1.0 KB
│ ├─ 🐍 push-evening.py Python 49L · 1.0 KB
│ ├─ 🐍 push-morning.py Python 49L · 1.1 KB
│ ├─ 🐍 whoop_auth.py Python 303L · 9.5 KB
│ ├─ 🐍 whoop_chart.py Python 890L · 33.1 KB
│ └─ 🐍 whoop_data.py Python 294L · 9.3 KB
├─ 📁 tests
│ └─ 🐍 test_all.py Python 521L · 18.3 KB
├─ 📋 _meta.json JSON 70L · 2.8 KB
├─ 📝 CLAWHUB.md Markdown 166L · 4.9 KB
├─ 📝 icon_prompt.md Markdown 37L · 1.1 KB
├─ 📝 SKILL.md Markdown 345L · 10.2 KB
└─ 🐍 whoop-guru.py Python 53L · 1.8 KB

依赖分析 3 项

包名版本来源已知漏洞备注
requests * pip Version not pinned but stdlib-based; low supply chain risk for health data tool
pandas * pip Version not pinned
matplotlib * pip Version not pinned

安全亮点

✓ OAuth flow uses proper state parameter and PKCE-style CSRF protection
✓ Token file permissions set to 0o600 after creation
✓ All network calls target legitimate WHOOP API endpoints
✓ LLM API key stored locally only, not transmitted elsewhere
✓ Shell injection vulnerability (os.system) was patched in v8.2.4
✓ Clear privacy statement in SKILL.md explaining data flow
✓ Credentials stored in ~/.clawdbot/ separate from skill data
✓ No base64-encoded payloads piped to shell
✓ No direct IP network requests to unknown servers
✓ No credential harvesting from ~/.ssh, ~/.aws, or .env
✓ No hidden instructions in HTML comments