Back to skill

Security audit

Oura Ring

Security checks across malware telemetry and agentic risk

Overview

The core Oura integration looks legitimate, but it needs review because some bundled scripts handle health tokens and live API calls with weak or misleading controls.

Review before installing. Use a least-privilege Oura token, keep `.env` private, avoid running the probe scripts, and do not rely on the documented morning brief mock/env-file overrides until the wrapper is fixed. The package does not show destructive behavior or intentional exfiltration, but it handles sensitive health data with enough under-scoped behavior to warrant the Review bucket.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (11)

Lp3

Medium
Category
MCP Least Privilege
Confidence
90% confidence
Finding
The skill documentation shows use of environment variables and outbound network access, but the skill metadata does not declare corresponding permissions. That creates a transparency and governance gap: users or platforms may approve the skill without understanding that it reads secrets from `.env` and sends requests to an external API.

Tp4

High
Category
MCP Tool Poisoning
Confidence
94% confidence
Finding
The declared purpose says the skill fetches readiness, sleep, and 7-day readiness trends, but the documentation also advertises resilience and stress endpoints and mentions probe scripts using a local `.env` path. Behavior beyond the declared scope is dangerous because it can lead to over-collection of sensitive health data and hidden credential usage that users did not knowingly authorize.

Context-Inappropriate Capability

Low
Confidence
90% confidence
Finding
Hard-coding an absolute path to a local .env file couples the script to a specific user environment and encourages unsafe secret-handling practices. It can expose filesystem layout details and increases the chance that credentials are loaded from unintended locations or committed into operational workflows without review.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The script loads credentials from a hard-coded absolute .env path on the developer's machine, which creates an unnecessary dependency on local secret material and exposes filesystem layout details. In a skill context, this encourages secret access outside normal runtime configuration and can lead to accidental credential use, leakage, or execution against a real user account without clear consent boundaries.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The code reads a personal access token and immediately uses it to query the Oura API without any disclosure, confirmation, or visible consent mechanism. Because the skill handles health-related readiness and sleep data, silent credential use and remote transmission increases privacy risk and makes unintended access to sensitive personal data more serious.

Credential Access

High
Category
Privilege Escalation
Content
import httpx
from dotenv import load_dotenv

load_dotenv("/Users/sameerbajaj/clawd/skills/oura-ring/.env")
token = os.getenv("OURA_PERSONAL_ACCESS_TOKEN")
base_url = "https://api.ouraring.com/v2/usercollection"
headers = {"Authorization": f"Bearer {token}"}
Confidence
89% confidence
Finding
.env"

Credential Access

High
Category
Privilege Escalation
Content
import httpx
from dotenv import load_dotenv

load_dotenv("/Users/sameerbajaj/clawd/skills/oura-ring/.env")
token = os.getenv("OURA_PERSONAL_ACCESS_TOKEN")
base_url = "https://api.ouraring.com/v2/usercollection"
headers = {"Authorization": f"Bearer {token}"}
Confidence
95% confidence
Finding
.env"

Unpinned Dependencies

Low
Category
Supply Chain
Content
requests>=2.31.0
python-dotenv>=1.0.0
Confidence
97% confidence
Finding
requests>=2.31.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
requests>=2.31.0
python-dotenv>=1.0.0
Confidence
96% confidence
Finding
python-dotenv>=1.0.0

Known Vulnerable Dependency: requests==2.31.0 — 5 advisory(ies): CVE-2024-47081 (Requests vulnerable to .netrc credentials leak via malicious URLs); CVE-2024-35195 (Requests `Session` object does not verify requests after making first request wi); CVE-2026-25645 (Requests has Insecure Temp File Reuse in its extract_zipped_paths() utility func) +2 more

Medium
Category
Supply Chain
Confidence
91% confidence
Finding
requests==2.31.0

Known Vulnerable Dependency: python-dotenv==1.0.0 — 1 advisory(ies): CVE-2026-28684 (python-dotenv: Symlink following in set_key allows arbitrary file overwrite via )

Low
Category
Supply Chain
Confidence
80% confidence
Finding
python-dotenv==1.0.0

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.