ClawHub

Oura Ring Data

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed, read-only Oura Ring data CLI, but users should treat its token and health-data output as sensitive.

Install only if you trust the publisher with access to your Oura data. Prefer specific commands and narrow date ranges, avoid the all command unless you intend to expose everything available, and keep PERSONAL_ACCESS_TOKEN out of prompts, logs, screenshots, and shared repositories.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (5)

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The CLI exposes significantly broader health and profile data access than the skill metadata advertises, including personal information and a bulk 'all' retrieval mode. This creates a scope-mismatch risk: an agent or user may invoke the skill expecting limited sleep/activity/readiness access, but the implementation can return additional sensitive categories, increasing the chance of over-collection or unauthorized disclosure of health data.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The client exposes methods for additional Oura data domains beyond the skill description’s stated focus on health metrics, including tags, sessions, rest mode periods, workouts, and personal information. In a health-data skill, this scope expansion increases privacy risk because an agent can access more sensitive user data than users would reasonably expect from the manifest description.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The get_all_data helper aggregates nearly every available data category, including personal_info and several non-metric collections, which materially exceeds the principle of least privilege for a skill described as providing selected health metrics. This creates a meaningful overcollection risk: a single call can retrieve a broad health and profile dataset that may later be exposed, logged, or misused by downstream components.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The README instructs users to copy an example environment file and add an Oura personal access token, but it provides no guidance on securing that file, excluding it from version control, or avoiding accidental disclosure in logs, screenshots, or shared workspaces. In an agent/CLI context, this increases the chance that a sensitive long-lived API credential will be stored insecurely and later exposed, allowing unauthorized access to the user's health data.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
This skill handles highly sensitive health data, yet the description and introductory sections do not clearly warn users that running it may retrieve and expose personal health metrics from their Oura account. In practice, insufficient disclosure increases the risk of uninformed consent, oversharing in chat/output, and accidental exposure of regulated or intimate personal data.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal