Oura Cli
ReviewAudited by ClawScan on May 10, 2026.
Overview
This appears to be a purpose-aligned Oura Ring data reader, but it requires sensitive Oura OAuth access and stores tokens locally.
This skill looks coherent for reading Oura Ring data. Before installing, make sure you trust the local `./oura` binary, understand that it can access sensitive health and profile data, and protect or revoke the stored OAuth credentials when needed.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Once authorized, the CLI can retrieve detailed Oura profile, sleep, activity, heart-rate, stress, and related health information.
The OAuth grant covers many Oura account and health-data categories. This is aligned with the skill purpose, but it gives the CLI access to sensitive personal and biometric data.
Scopes: []string{"email", "personal", "daily", "heartrate", "workout", "tag", "session", "spo2", "stress", "ring_configuration", "cardiovascular", "heart_health"}Authorize only if you trust the built binary and want the agent to access these Oura categories; revoke the Oura app token if you stop using it.
Anyone who can read the local config file may be able to use the stored credentials to access Oura data until the token is revoked or expires.
The local config includes the client secret plus access and refresh tokens, which are long-lived credentials for the user's Oura account.
ClientSecret string `json:"client_secret"` AccessToken string `json:"access_token"` RefreshToken string `json:"refresh_token"`
Keep the config file private, avoid using this on shared machines, and consider setting restrictive file permissions such as user-only read/write.
If the local `./oura` binary comes from the wrong source, the agent could run unintended code when following the skill instructions.
The README describes building a local binary rather than using a registry install spec or verified package, so the trustworthiness of the cloned source matters.
git clone <repository-url> cd oura-cli go build -o oura ./cmd/oura
Build `./oura` only from the intended repository and verify the source before authenticating with Oura.