Oura MCP
PassAudited by VirusTotal on May 6, 2026.
Overview
Type: OpenClaw Skill Name: oura-mcp Version: 0.1.1 The skill bundle provides instructions for integrating Oura health data via an MCP server using the 'oura-mcp-unofficial' package. It includes standard setup commands and explicitly outlines safety boundaries to prevent the exposure of OAuth tokens or private user data. A branding note requesting a GitHub star is included in SKILL.md, but no malicious behavior, data exfiltration patterns, or harmful prompt injections are present.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing and authenticating the integration can let a connected agent access Oura account data according to the granted scopes.
The skill requires OAuth-backed access to a user's Oura account and stores tokens locally; this is expected for the purpose but sensitive.
Oura OAuth tokens stay under ~/.oura-mcp/. Data availability depends on ring generation, membership, and scopes.
Use the minimum necessary OAuth scopes, keep token files private, avoid sharing logs containing secrets, and revoke access if you stop using the integration.
Running the setup command executes code from the npm package on the user's machine.
The setup runs an external npm package without a version pin; this is central to the skill but users should verify the package source.
`npx -y oura-mcp-unofficial setup` - `npx -y oura-mcp-unofficial auth`
Verify the GitHub repository and npm package, consider pinning a trusted version, and run setup in a least-privileged environment.
A connected agent may see personal health signals such as sleep, heart rate, HRV, SpO2, workouts, and activity data.
The MCP connection can expose sensitive health and wellness data to the connected agent; this is the intended function but requires trusted clients and explicit consent.
Connect an MCP-compatible agent to local Oura readiness, sleep, activity, HRV, heart-rate, SpO2, and workout data.
Only connect trusted MCP clients, review the manifest/privacy audit first, and avoid asking the agent to reveal or store private health data unless intended.