ClawHub

Oura Ring Data

v0.1.0

Access Oura Ring health data using the ouracli CLI tool. Use when user asks about "oura data", "sleep stats", "activity data", "heart rate", "readiness score", "stress levels", or wants health metrics from their Oura Ring.

1· 1.8k·1 current·1 all-time
by@visionik
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The SKILL.md clearly describes running the ouracli CLI and requires a PERSONAL_ACCESS_TOKEN, which is coherent with the described purpose. However, the registry metadata lists no required binaries and no required environment variables, which under-declares the actual needs. The presence of packaged ouracli source files but no install instructions increases the mismatch.
!
Instruction Scope
Instructions explicitly tell the agent to run ouracli via Bash and to check for a PERSONAL_ACCESS_TOKEN stored in secrets/oura.env or ~/.secrets/oura.env. That means the agent will be expected to read local secret files and run shell commands — appropriate for a CLI but sensitive. The SKILL.md does not instruct any unrelated data access, but it does assume and require access to local secret paths that the metadata does not declare.
Install Mechanism
No install spec is provided (instruction-only), yet the skill bundle contains full ouracli source files and tests. Either the skill expects ouracli to already be on PATH or the package forgot to include installation steps. This is an inconsistency and may cause runtime failures or unexpected behavior if the environment differs from the author's assumptions.
!
Credentials
The SKILL.md requires a PERSONAL_ACCESS_TOKEN (from secrets/oura.env or ~/.secrets/oura.env), which is proportionate to accessing the Oura API. But the declared requirements list no environment variables and no primary credential — the credential requirement is missing from metadata. Asking the agent to read local secret files is sensitive and should be explicitly declared.
Persistence & Privilege
No 'always: true' or other elevated persistence flags are set, and model invocation flags are default. The skill does not request permanent inclusion or explicit autonomous invocation privileges beyond the platform defaults.
What to consider before installing
This skill's README/instructions require the ouracli CLI and an Oura PERSONAL_ACCESS_TOKEN stored in a secrets file, but the registry metadata doesn't declare those needs and there is no install step. Before installing or enabling it: (1) confirm how ouracli is expected to be provided (is it preinstalled or should the package install it?), (2) do not place your token in a plaintext file unless you trust the environment — prefer supplying a token through the platform's secure secret mechanism, (3) ask the publisher to update metadata to list PERSONAL_ACCESS_TOKEN as a required credential and to add a clear install spec, and (4) review the included source (client.py) to verify network behavior and that no unexpected data exfiltration occurs. If you cannot verify these things, treat the skill as untrusted.

Like a lobster shell, security has layers — review code before you run it.

latestvk9770p8qeer4vty67b8q6y94bs7zzc72

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments