Oura Health

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed Oura health-data helper, but it handles sensitive health, profile, and token data that users should keep private.

Install only if you want your agent to read your Oura account data. Keep the credentials file private, leave base_url pointed at the official Oura API unless you know exactly why you are changing it, avoid running status or alerts in shared chats or logs, and revoke the Oura token if it is exposed.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (5)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 93% confidence
Finding: The skill clearly requires outbound network access to the Oura API, but the manifest does not declare that capability. Undeclared capabilities weaken review and consent controls because users and platforms cannot accurately understand what the skill can do before execution.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 95% confidence
Finding: The documented purpose emphasizes sleep/readiness/activity queries, but the behavior also includes retrieval of personal profile identifiers and generation of proactive health alerts. That mismatch is dangerous because users may consent to a wellness lookup without realizing the skill also processes identity-linked health data and emits potentially sensitive inferences.

Context-Inappropriate Capability

Medium

Confidence: 90% confidence
Finding: The status command exposes personal profile fields including age, sex, email, weight, and height, which go beyond the skill's stated purpose of reporting sleep, readiness, activity, heart rate, and trends. In an agent setting, this broadens data exposure and can disclose unnecessary sensitive personal information to users, logs, or downstream consumers.

Vague Triggers

Medium

Confidence: 82% confidence
Finding: The trigger list includes broad health-related phrases like heart rate, readiness, and health briefing that may match ordinary conversation and invoke the skill unintentionally. In this context, accidental invocation can expose or process sensitive health data without clear user intent, increasing privacy risk.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill handles sensitive health and identity data, including sleep, HRV, temperature deviation, age, email, and biological sex, but the documentation provides no explicit privacy warning or consent boundary. In a health-data context, silent access and display of such information materially increases privacy harm if invoked accidentally, viewed by others, or logged.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal