Back to skill

Security audit

Oura Ring Data

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed, read-only Oura Ring CLI skill, but it can expose sensitive health and profile data if used broadly.

Install only if you trust this skill with your Oura account data. Prefer narrow commands and date ranges, avoid the all command unless you intend to retrieve everything available, protect PERSONAL_ACCESS_TOKEN from prompts/logs/source control, and treat JSON or HTML reports as sensitive personal health records.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (9)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill uses sensitive capabilities—environment secret access, network-backed API retrieval through the CLI, and file output/redirection—without declaring permissions or clearly constraining their use. This weakens user awareness and policy enforcement, especially because the skill handles health data and references secrets files and HTML report generation.

Tp4

High
Category
MCP Tool Poisoning
Confidence
88% confidence
Finding
The declared description suggests limited access to common Oura metrics, but the skill also enables access to broader and more sensitive categories such as personal profile information, tags, and bulk 'all' retrieval, plus report generation. That mismatch can cause users or reviewers to underestimate the scope of data collection and exfiltration risk, which is especially serious for health and personal data.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The skill manifest describes access to health metrics such as sleep, activity, heart rate, readiness, and stress, but this code also retrieves personal profile information via get_personal_info(). That is a scope expansion into broader personal data not clearly disclosed, which increases privacy risk if users or calling agents expect only metric retrieval.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The bulk collection method gathers nearly every available Oura category, including workouts, sessions, tags, rest mode periods, SpO2, and personal info, which goes beyond the stated use cases. Over-collection of sensitive health and lifestyle data violates data minimization principles and increases the blast radius of accidental exposure, logging, or downstream misuse.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The test suite explicitly exercises a `personal-info` endpoint and validates exposure of an email address, even though the skill description emphasizes health metrics rather than identity data. In a health-data skill, expanding supported/validated outputs to personally identifying information increases the risk of unnecessary data exposure, especially because tests often normalize and preserve that behavior during future refactors.

Missing User Warnings

Low
Confidence
90% confidence
Finding
The README directs users to copy a secrets file and place an Oura personal access token into it, but provides no guidance on secure storage, permissions, .gitignore protection, or avoiding accidental disclosure. This can lead to credential leakage through source control, backups, screenshots, or shared workspaces, especially in an agent/tooling context where automated systems may read local files.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill operates on highly sensitive health and profile data but does not provide a clear user-facing warning or consent-oriented framing before access. In this context, missing disclosure increases the chance of over-collection or accidental exposure of regulated or intimate data such as sleep, heart rate, stress, SpO2, and profile details.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
These tests verify that formatted output contains a specific email address in JSON and HTML, which codifies direct exposure of sensitive personal data without any warning, redaction, or privacy guardrails. Because the skill handles health-related data, combining health context with identity data raises privacy risk and makes accidental leakage through logs, snapshots, reports, or rendered output more damaging.

Known Vulnerable Dependency: requests — 10 advisory(ies): CVE-2014-1830 (Exposure of Sensitive Information to an Unauthorized Actor in Requests); CVE-2024-47081 (Requests vulnerable to .netrc credentials leak via malicious URLs); CVE-2024-35195 (Requests `Session` object does not verify requests after making first request wi) +7 more

High
Category
Supply Chain
Confidence
94% confidence
Finding
requests

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.