whoop
Pass
Audited by Gen Agent Trust Hub on Mar 1, 2026
Risk Level: SAFECOMMAND_EXECUTIONDATA_EXFILTRATIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The script
src/auth.jsusesexecFileSyncto runopensslfor TLS certificate generation and to open the system browser for OAuth authentication. These actions are restricted to necessary setup operations and use controlled arguments to prevent injection.\n- [DATA_EXFILTRATION]: The skill manages sensitive OAuth credentials and tokens, storing them in~/.clawdbot/whoop/. These files are accessed only to authenticate requests with official WHOOP API endpoints, and no sensitive data is sent to untrusted third-party domains.\n- [EXTERNAL_DOWNLOADS]: Retrieves health and activity data (sleep, recovery, strain) from official WHOOP Developer API domains (api.prod.whoop.com).\n- [PROMPT_INJECTION]: No malicious instructions, bypass attempts, or safety filter overrides were found in the documentation or the implementation scripts.
Audit Metadata