whoopskill
Pass
Audited by Gen Agent Trust Hub on Mar 1, 2026
Risk Level: SAFE
Full Analysis
- [SAFE]: The skill's codebase was thoroughly analyzed and found to perform only the tasks described in its documentation. It implements a standard health data monitoring tool without malicious intent.
- [CREDENTIALS_UNSAFE]: The tool requires sensitive API credentials (Client ID and Secret) to function. It manages these securely via environment variables and stores resulting OAuth tokens in the user's home directory (
~/.whoop-cli/tokens.json). The implementation correctly sets restricted file permissions (0600) on the token file to prevent unauthorized local access. - [EXTERNAL_DOWNLOADS]: The application makes network requests to official WHOOP domains (
api.prod.whoop.com) to facilitate authentication and data retrieval. These connections are necessary for the tool's primary purpose and do not represent unauthorized data exfiltration. - [COMMAND_EXECUTION]: No dangerous system commands or subprocess executions were found. The tool uses the
openlibrary to launch the system's default browser for the OAuth flow, which is standard behavior for CLI-based authentication.
Audit Metadata