ClawHub

Ouraskill

Security checks across malware telemetry and agentic risk

Overview

This skill does what it claims: it syncs Oura Ring health data into local markdown files, with privacy-sensitive but disclosed behavior.

Install only if you are comfortable storing Oura health data as local plaintext markdown. Keep the output directory private, avoid committing or syncing it unintentionally, store OURA_TOKEN as a protected secret, and revoke the token if it is exposed. Enable cron only if you want automatic ongoing syncing.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The README explicitly promotes syncing highly sensitive health data into local markdown files but does not warn users that these files may be readable by other local users, included in backups, indexed by search tools, or accidentally committed to source control. In the context of a health-data sync skill, this omission increases the risk of inadvertent exposure of medical and wellness information.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The documentation instructs users to place a long-lived personal access token in an environment variable and directly in a cron line without warning about shell history, process-list exposure in some environments, or accidental disclosure through logs and shared config files. Because the token grants access to private Oura data and does not expire unless revoked, poor handling could enable unauthorized access to sensitive account data.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill description and usage text do not clearly warn that syncing will create persistent per-day health records on disk. Because the data includes sensitive health metrics such as sleep, heart rate, stress, and SpO2, undisclosed local persistence increases privacy risk and may cause users to store regulated or highly personal data unintentionally.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal