whoop-morning
Warn
Audited by Gen Agent Trust Hub on Mar 1, 2026
Risk Level: MEDIUMCREDENTIALS_UNSAFEDATA_EXFILTRATIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [CREDENTIALS_UNSAFE]: The skill manages sensitive OAuth2 credentials including client secrets and refresh tokens. The file
lib/tokens.jswrites these credentials to~/.cache/whoop-morning/tokens.jsonusing standard file system operations without explicitly setting restricted file permissions (e.g., 600). - [DATA_EXFILTRATION]: The skill is designed to fetch personal health information, including sleep cycles and recovery metrics, from the WHOOP API. While this aligns with the skill's stated purpose, it involves the retrieval and local caching of sensitive biometric data.
- [COMMAND_EXECUTION]: The documentation in
SKILL.mdinstructs the user to execute local scripts (bin/whoop-authandbin/whoop-morning) that are part of the skill package to facilitate authentication and data reporting. - [EXTERNAL_DOWNLOADS]: The skill makes network requests to
api.prod.whoop.comfor OAuth token exchange and data retrieval. These are official endpoints for a well-known service and are necessary for the skill's operation.
Audit Metadata