Ouraskill
PassAudited by ClawScan on May 1, 2026.
Overview
This appears to be a straightforward Oura health-data sync skill, with the main cautions being its use of a long-lived Oura token and persistent local markdown files containing sensitive health data.
Before installing, make sure you trust the skill with your Oura data, keep OURA_TOKEN secret, understand that health records will be written locally under health/, and enable cron only if you want automatic ongoing syncing.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone or anything with access to this token may be able to access Oura account health data until the token is revoked.
The skill requires a long-lived Oura personal access token to fetch the user's health data. This is expected for the integration, but the credential is sensitive.
export OURA_TOKEN="your_personal_access_token" ... The token doesn't expire unless you revoke it.
Store OURA_TOKEN as a secret, avoid exposing it in shared logs or files, and revoke or rotate it if it may have been disclosed.
Your sleep, readiness, activity, heart-rate, stress, SpO2, and workout data may remain available to future OpenClaw conversations through local files.
The skill intentionally stores personal health data in markdown files for later agent use. This is core to the purpose, but it creates persistent local context containing sensitive information.
Health files are stored at `{baseDir}/health/YYYY-MM-DD.md` — one file per day. To answer health or fitness questions, read the relevant date's file from the `{baseDir}/health/` directory.Install only if you are comfortable storing this health data locally, and consider file permissions, backups, and retention or deletion practices for the health/ directory.
If cron is enabled, the skill may refresh local health files each morning without a new manual command.
The skill recommends optional scheduled background syncing. It is disclosed and purpose-aligned, but it means the sync can continue automatically after setup.
Schedule the sync script to run every morning using OpenClaw's `cron` tool so your health data stays up to date automatically.
Use cron only if you want ongoing automatic syncing, and remove the scheduled job if you no longer want the skill to update health files.
Future installs or runs may resolve whatever version of the dependency is available, which can affect behavior if the package changes.
The uv script declares a third-party dependency without a pinned version. This is a normal mechanism for this kind of Python helper script, but dependency provenance and version drift matter.
# dependencies = ["oura-ring"]
Prefer a reviewed or pinned dependency version if reproducibility is important, and install from trusted package sources.