Back to skill
Skillv1.0.0
VirusTotal security
Oura Cli · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 3:49 AM
- Hash
- 6ded256e4567a473c7071d40fab051773525ed2eedcc6e09e76107c780373612
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: oura-cli Version: 1.0.0 The skill is classified as suspicious due to a vulnerability in how OAuth tokens are stored. The `internal/config/config.go` file uses `os.Create` to save `config.json`, which by default creates files with world-readable permissions (e.g., 0644 on most systems after umask). This allows other local users on the same system to read the `AccessToken` and `RefreshToken`, potentially leading to unauthorized access to the user's Oura data. While the core functionality is benign and the prompt injection instructions in `SKILL.md` are for legitimate tool usage, this information disclosure vulnerability is a significant security flaw.
- External report
- View on VirusTotal