Trust Assessment
whoop received a trust score of 20/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 5 findings: 2 critical, 0 high, 3 medium, and 0 low severity. Key findings include Network egress to untrusted endpoints, Unsafe deserialization / dynamic eval, Suspicious import: requests.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Manifest Analysis layer scored lowest at 33/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings5
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Network egress to untrusted endpoints Python requests POST/PUT to URL Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | skills/ijaack/whoop-tracker/scripts/whoop_client.py:105 | |
| CRITICAL | Network egress to untrusted endpoints Python requests POST/PUT to URL Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | skills/ijaack/whoop-tracker/scripts/whoop_client.py:131 | |
| MEDIUM | Unsafe deserialization / dynamic eval Decryption followed by code execution Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions. | Manifest | skills/ijaack/whoop-tracker/scripts/get_workouts.py:32 | |
| MEDIUM | Suspicious import: requests Import of 'requests' detected. This module provides network or low-level system access. Verify this import is necessary. Network and system modules in skill code may indicate data exfiltration. | Static | skills/ijaack/whoop-tracker/scripts/whoop_client.py:16 | |
| MEDIUM | Unpinned Python Dependency The skill's installation script `scripts/install.sh` installs the `requests` Python package without specifying a version. This can lead to supply chain risks, as a future malicious or incompatible version of `requests` could be installed, potentially introducing vulnerabilities or breaking the skill's functionality. It also appears in the `SKILL.md` as a direct instruction. Pin the `requests` dependency to a specific, known-good version (e.g., `pip3 install requests==2.28.1`). Consider using a `requirements.txt` file and `pip install -r requirements.txt` for better dependency management and reproducibility. | LLM | scripts/install.sh:4 |
Scan History
Embed Code
[](https://skillshield.io/report/760bdb7328f78c84)
Powered by SkillShield