Oura Ring Data
PassAudited by ClawScan on May 1, 2026.
Overview
This appears to be a read-only Oura Ring data helper, but it uses your Oura token and can display sensitive health and profile information.
Install and use this only if you trust the package. Keep your Oura token in a protected secrets file, prefer narrow date ranges and specific data types, and avoid the broad 'all' command unless you intend to expose all available Oura data to the agent.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent can run local shell commands to retrieve Oura data; accidental broad queries could expose more health data in the conversation than intended.
The skill allows Bash so the agent can invoke the local ouracli command. This is central to the stated purpose, and the shown commands are read-only, but Bash is broader than a narrowly scoped API tool.
allowed-tools: Bash ... ouracli all "7 days" --json
Use specific commands such as activity, sleep, or readiness with narrow date ranges, and avoid 'all' unless you really want all available data.
Anyone or any agent with access to that token may be able to read Oura health and profile data allowed by the token.
The skill uses a local Oura personal access token to access the user's account data. This is expected for the integration, but it is sensitive delegated account access.
The tool requires a `PERSONAL_ACCESS_TOKEN` environment variable. ... Token location: `secrets/oura.env` or `~/.secrets/oura.env`
Store the token securely, restrict file permissions on the secrets file, revoke the token if no longer needed, and install this only from a source you trust.
You have less assurance about where the package came from or how updates should be verified.
The package provenance is not clearly linked to a public source or homepage in the registry metadata. The included code is coherent, but users have less external provenance to verify.
Source: unknown Homepage: none
Verify the package source before installing or providing an Oura token, and review dependency/install steps if installing the included CLI.
Your query parameters and authenticated requests go to Oura, and the returned health data may be shown to the agent.
The client makes HTTPS GET requests to the official Oura API to retrieve health data. This external provider communication is disclosed and purpose-aligned.
BASE_URL = "https://api.ouraring.com/v2" ... response = self.session.get(url, params=params)
Only request data you are comfortable sharing in the current conversation, and avoid copying generated outputs to untrusted locations.