ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Oura Ring

v0.1.0

Fetch Oura Ring readiness/sleep + 7-day readiness trends via Oura Cloud API V2, and generate a Morning Readiness Brief.

0· 1.7k·2 current·2 all-time
by@sameerbajaj
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill's description (fetch Oura readiness/sleep/trends and produce a morning brief) matches the CLI and shell wrapper. However the registry metadata declares no required environment variables or primary credential, while the code and README clearly require an OURA token (OURA_TOKEN or OURA_PERSONAL_ACCESS_TOKEN). That mismatch between declared requirements and actual needs is a red flag.
Instruction Scope
SKILL.md instructions are scoped to obtaining an OAuth token, creating a .env, installing dependencies in a venv, and running the CLI or the morning_brief script — all appropriate for this purpose. However there are additional 'probe' scripts (probe_v2.py, probe_v2_sessions.py) that are not documented in SKILL.md and which load a .env from an absolute developer path; those files expand the code footprint beyond the documented runtime and should be reviewed/removed if not needed.
Install Mechanism
There is no install spec (instruction-only style), which is low risk. The provided requirements.txt only lists requests and python-dotenv, while the probe scripts reference httpx — an inconsistency in declared dependencies. No remote or obscure download/install steps are present.
!
Credentials
The skill needs a sensitive bearer token to call the Oura API (OURA_TOKEN or OURA_PERSONAL_ACCESS_TOKEN), but the registry metadata does not declare these required env vars or a primary credential. The probe files also reference an absolute local path and a personal access token variable name, increasing the risk of accidentally using or exposing the wrong credential. Requiring a single Oura OAuth token is reasonable for the stated purpose, but the omission from metadata and the extra token names/path warrant caution.
Persistence & Privilege
The skill does not request persistent or elevated platform privileges and 'always' is false. It does not modify other skills or global agent configuration. The CLI and script run on demand and use a local .env; autonomous invocation remains possible (platform default) but not combined here with other high-risk flags.
What to consider before installing
What to check before installing or running this skill: - Expect to provide an OURA API token (OURA_TOKEN or OURA_PERSONAL_ACCESS_TOKEN). The package metadata did not declare this — that mismatch is likely an oversight. Do not proceed until you understand where your token will be stored (skills/oura-ring/.env is the default) and ensure you don't commit that file to source control. - Inspect and (ideally) remove or sanitize the probe_v2.py and probe_v2_sessions.py files. They reference a hard-coded developer path (/Users/sameerbajaj/...) and load a token from that location; that looks like leftover developer/debug code. If you do not need them, delete them to avoid accidental execution or accidental use of a local .env. - Confirm dependencies before running: requirements.txt lists requests and python-dotenv, but the probe scripts use httpx. If you run probes, install httpx separately or avoid running them. - Run the CLI in an isolated environment (virtualenv) as suggested and review the .env contents. Consider creating a least-privilege Oura API app/token rather than using broad personal tokens. - If you will allow an autonomous agent to call this skill, be aware it can access the Oura token you supply; ensure the agent's authorization scope and the token’s scope are limited to what you intend. If the registry entry is meant to be public, ask the skill owner to update the manifest to declare the required environment variable(s) and to remove or document the probe scripts and any hard-coded paths. If you are unsure about the probe files or hidden behavior, prefer not to install or run the skill until the author clarifies.

Like a lobster shell, security has layers — review code before you run it.

latestvk97f0qxq99b9kghb6bxzsjj40s7zz7rfoura ringvk97f0qxq99b9kghb6bxzsjj40s7zz7rf
1.7kdownloads
0stars
1versions
Updated 13h ago
v0.1.0
MIT-0
@sameerbajaj
latestoura ring
Download

Oura Ring (V1)

This skill provides a small, public-facing reference implementation for pulling Readiness, Sleep, and 7-day Readiness trends from the Oura V2 API (/v2/usercollection/*).

Quick Reference

  • CLI (raw data):

    • python3 skills/oura-ring/cli.py --format json --pretty readiness
    • python3 skills/oura-ring/cli.py --format json --pretty sleep
    • python3 skills/oura-ring/cli.py --format json --pretty trends
    • python3 skills/oura-ring/cli.py --format json --pretty resilience
    • python3 skills/oura-ring/cli.py --format json --pretty stress

  • Morning brief (formatted):

    • ./skills/oura-ring/scripts/morning_brief.sh

Features

  • Morning Readiness Brief: Tactical recommendation based on latest scores.
  • Trend Analysis: Insights on score changes over the last 7 days.
  • Resilience Tracking: Real-time capacity mapping for stress management.

Setup

1) Install dependencies (recommended: venv)

macOS/Homebrew Python often blocks system-wide pip install (PEP 668), so use a virtualenv:

python3 -m venv skills/oura-ring/.venv
source skills/oura-ring/.venv/bin/activate
python -m pip install -r skills/oura-ring/requirements.txt

2) Create your .env

Create skills/oura-ring/.env:

cp skills/oura-ring/.env.example skills/oura-ring/.env
# then edit skills/oura-ring/.env

The CLI reads:

  • OURA_TOKEN (required)
  • OURA_BASE_URL (optional; defaults to https://api.ouraring.com/v2/usercollection)

Getting an Oura token (OAuth2)

Oura V2 uses OAuth2 bearer tokens.

  1. Create an Oura API application:
  2. Set a Redirect URI (for local testing, something like http://localhost:8080/callback).
  3. Open the authorization URL (replace CLIENT_ID, REDIRECT_URI, and scope):
https://cloud.ouraring.com/oauth/authorize?response_type=code&client_id=CLIENT_ID&redirect_uri=REDIRECT_URI&scope=readiness%20sleep
  1. After approving, you’ll be redirected to your Redirect URI with a code=... query parameter.
  2. Exchange the code for an access token:
curl -X POST https://api.ouraring.com/oauth/token \
  -H 'Content-Type: application/x-www-form-urlencoded' \
  -d grant_type=authorization_code \
  -d client_id=CLIENT_ID \
  -d client_secret=CLIENT_SECRET \
  -d redirect_uri=REDIRECT_URI \
  -d code=AUTH_CODE
  1. Put the returned access_token into skills/oura-ring/.env as OURA_TOKEN=....

Notes:

  • Access tokens can expire; you may need to refresh using the refresh_token.
  • Do not commit your .env file.

Usage

Readiness

python3 skills/oura-ring/cli.py --env-file skills/oura-ring/.env --format json --pretty readiness

Sleep

python3 skills/oura-ring/cli.py --env-file skills/oura-ring/.env --format json --pretty sleep

Trends (last 7 days; paginated)

python3 skills/oura-ring/cli.py --env-file skills/oura-ring/.env --format json --pretty trends

Wrapper: Morning Readiness Brief

./skills/oura-ring/scripts/morning_brief.sh

Override the env file location:

OURA_ENV_FILE=/path/to/.env ./skills/oura-ring/scripts/morning_brief.sh

Run in mock mode (no token):

OURA_MOCK=1 ./skills/oura-ring/scripts/morning_brief.sh

Verification (no token required)

python3 skills/oura-ring/cli.py --mock readiness --format json
python3 skills/oura-ring/cli.py --mock sleep --format json
python3 skills/oura-ring/cli.py --mock trends --format json

Comments

Loading comments...