ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Oura Cli

v1.0.0

Retrieve health and biometric data from your Oura Ring via CLI commands for sleep, activity, readiness, heart rate, and more using specified dates.

2· 806·0 current·2 all-time
byDanielle@supadoopa
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
high confidence
Purpose & Capability
The code and SKILL.md implement an Oura Ring CLI that queries the Oura V2 API and returns JSON — this matches the expected purpose. There are no unrelated network endpoints or unrelated credentials requested in the source. Functionality (sleep, activity, readiness, heartrate, etc.) aligns with the stated capability.
Instruction Scope
The SKILL.md instructs the agent to run a local binary (./oura) and to resolve dates and parse JSON responses — that stays within the Oura-CLI purpose. However, invoking the CLI will read/write the user's config at the standard config directory (~/.config/oura-cli/config.json) and the auth flow starts a local HTTP server on port 8080 to receive OAuth callbacks. The SKILL.md does not explicitly mention the local server or persistent config file behavior, which is relevant runtime scope.
Install Mechanism
No install spec is provided in the registry (instruction-only), but full Go source files are bundled and the README documents a 'go build' workflow. The SKILL.md assumes a built ./oura binary is present; the absence of an install/build step in metadata is a mismatch but not inherently malicious. Risk is low provided you build/review the included source yourself; running pre-built binaries without inspection would be higher risk.
!
Credentials
Registry metadata declares no required environment variables, but the code and README legitimately use OURA_CLIENT_ID and OURA_CLIENT_SECRET (and may read them from env or prompt). The tool also stores OAuth tokens and secrets in the user's config directory (~/.config/oura-cli/config.json). The omission of these env requirements and the config path from metadata is an inconsistency that affects sensitive data handling and should be disclosed to users.
Persistence & Privilege
The skill does not request always:true and does not modify other skills or system-wide settings. It does persist its own config (client id/secret, access/refresh tokens) under the user's config directory, and its auth flow opens a local HTTP listener on port 8080 during login — both are normal for an OAuth CLI but worth noting as side effects.
What to consider before installing
What to consider before installing or running this skill: - The bundled code is a normal Oura CLI: it uses OAuth and will store your Client ID/Secret and tokens in ~/.config/oura-cli/config.json. If you run it, expect local persistent storage of credentials and tokens. - The registry metadata omitted required env vars and an install/build step. Before running any binary, either build the included source locally (go build ./cmd/oura) or inspect the code yourself. Do not run an unreviewed prebuilt binary. - The auth flow starts a temporary HTTP server on localhost:8080 to receive the OAuth callback; that can interfere with existing services using that port. If you do authentication, prefer creating a dedicated Oura app with minimal scopes and revoke the app afterwards if you don't trust it. - If you only want agent-driven answers (without giving real credentials), avoid providing your production Oura client secret. Consider testing with a throwaway account or running the CLI in an isolated environment (container or VM). - The mismatches (no declared env vars, no install steps) are likely sloppy metadata rather than malicious intent, but they reduce transparency. If you plan to use this skill, inspect the source files provided and confirm you are comfortable with the local config behavior and OAuth scopes before proceeding.

Like a lobster shell, security has layers — review code before you run it.

latestvk975gbyzszyqm3y8v4z9qekse98108jr
806downloads
2stars
1versions
Updated 8h ago
v1.0.0
MIT-0
Danielle@supadoopa
latest
Download

Oura Ring CLI Skill

Description

This tool allows retrieving health and biometric data from the Oura Ring API (V2) via a command-line interface. Use this to answer questions about the user's sleep, activity, readiness, and physiological stats.

Repository: https://github.com/ruhrpotter/oura-cli

Prerequisite

The CLI must be authenticated. If a command fails with an auth error, notify the user to run ./oura auth login.

Syntax

./oura get <category> [flags]

Categories

  • personal: User profile (age, weight, height, email).
  • sleep: Daily sleep scores and efficiency.
  • activity: Daily activity scores, steps, and movement.
  • readiness: Daily readiness scores indicating recovery.
  • heartrate: Time-series heart rate data.
  • workout: Detailed workout sessions.
  • spo2: Blood oxygen saturation levels.
  • sleep-details: Detailed sleep sessions including hypnograms.
  • sessions: Activity sessions (e.g. naps, rest).
  • sleep-times: Optimal bedtime guidance.
  • stress: Daily stress levels.
  • resilience: Daily resilience scores and recovery.
  • cv-age: Cardiovascular age estimates.
  • vo2-max: VO2 Max measurements.
  • ring-config: Ring hardware configuration (color, size, etc.).
  • rest-mode: Rest mode periods.
  • tags: Enhanced tags (notes, lifestyle choices).

Arguments

  • --start <YYYY-MM-DD>: REQUIRED for most time-series data. The start date of the range.
  • --end <YYYY-MM-DD>: OPTIONAL. The end date of the range. If omitted, it may default to the start date or return a single day depending on context.

Agent Instructions

  1. Date Resolution: You MUST resolve all relative date terms (e.g., "today", "yesterday", "last week", "this month") into absolute YYYY-MM-DD string format based on the current operational date.
  2. Date ranges:
    • For "today": Set --start to today's date.
    • For "yesterday": Set --start to yesterday's date.
    • For "last 7 days": Set --start to 7 days ago and --end to today.
  3. Path: Assume the binary is ./oura in the current working directory unless the user specifies otherwise.
  4. Output: The CLI returns JSON. Parse the JSON data array to formulate a natural language response.

Examples

User Request: "How was my sleep last night?" Context: Today is 2024-03-15. "Last night" usually implies the sleep session ending on the morning of today, or the previous day's data depending on how Oura dates it (Oura dates sleep by the morning it ends). Reasoning: Sleep for the night of the 14th to 15th is logged as 2024-03-15. Command:

./oura get sleep --start 2024-03-15

User Request: "What is my readiness score today?" Context: Today is 2024-03-15. Command:

./oura get readiness --start 2024-03-15

User Request: "Show my heart rate for the first week of January 2024." Command:

./oura get heartrate --start 2024-01-01 --end 2024-01-07

User Request: "Who am I?" Command:

./oura get personal

Comments

Loading comments...