ClawHub

Oura Cli

Security checks across malware telemetry and agentic risk

Overview

The skill does what it says, but it handles sensitive Oura health data and stores OAuth credentials locally without adequate safeguards or warning.

Install only if you trust the source and are comfortable granting broad access to Oura health and profile data. Use it on a single-user machine, keep `~/.config/oura-cli/config.json` out of synced or shared locations, restrict that file to user-only access, and revoke the Oura application token if you stop using the tool.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (7)

Context-Inappropriate Capability

Medium
Confidence
87% confidence
Finding
The OAuth configuration requests an unusually broad set of sensitive scopes, including multiple categories of health data, without any visible in-file justification or scope minimization. Overbroad permissions increase the blast radius of token theft or misuse and violate least-privilege principles, especially for health-related APIs.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The login flow generates the authorization URL with a fixed state value and the callback handler never validates the returned state parameter before exchanging the authorization code. This breaks CSRF protections in OAuth and can allow an attacker to inject an authorization code tied to a different session or account, causing token confusion or account mix-up.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The README explicitly states that an OAuth access token is stored locally in ~/.config/oura-cli/config.json but does not warn users about the sensitivity of that token, file permissions, or risks from multi-user systems and backups. Because this CLI accesses highly sensitive health data, unclear token-handling guidance increases the chance of accidental exposure and unauthorized API access.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill is explicitly designed to retrieve highly sensitive health and profile data, including sleep, heart rate, SpO2, stress, and personal profile information, yet it provides no privacy disclosure, consent guidance, or data-minimization boundaries. In an agent setting, this can lead to over-collection or disclosure of regulated or intimate personal data without the user clearly understanding what categories will be accessed.

Missing User Warnings

Low
Confidence
84% confidence
Finding
The authentication guidance tells the user to log in when auth fails but does not explain that doing so grants the CLI access to the user's Oura account and sensitive biometric records. This omission can cause users to authenticate without understanding the scope of access or the privacy implications, especially in a delegated agent workflow.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The CLI reads the client secret using a normal buffered stdin read after printing a prompt, which means the secret is likely echoed on screen and can be exposed through terminal recording, shoulder surfing, or other console-capture mechanisms. In a tool handling OAuth credentials, collecting secrets this way unnecessarily increases the risk of credential disclosure even though it does not by itself imply malicious behavior.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The code persists OAuth-style secrets and tokens (client secret, access token, refresh token) to a JSON file on disk using default directory/file permissions and without any protection such as OS keychain storage or restrictive chmod. If another local user, malware, backups, or misconfigured file sharing can read the file, the tokens can be stolen and used to access the associated account or API.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal