Retrieve and summarize health, sleep, activity, readiness, and biometric data from the Oura Ring API via a command-line interface.
Security Analysis
medium confidenceThe SKILL.md clearly implements an Oura CLI workflow (clone from GitHub, build, and use OAuth credentials), but the registry metadata omits the credentials and config-path requirements and the skill asks the agent to download/build and run external code — the pieces are coherent for Oura integration but the metadata/instruction mismatch and the need to execute external binaries are concerning.
The skill's name and SKILL.md describe an Oura Ring CLI integration and the instructions (git clone oura-cli, build, use OAuth) match that purpose. However, the registry metadata declares no required env vars or config paths even though the runtime instructions explicitly require OURA_CLIENT_ID and OURA_CLIENT_SECRET and state tokens are stored in ~/.config/oura-cli/config.json — this metadata/instruction mismatch is incoherent and should be clarified.
The instructions stay within the stated purpose (fetching Oura health data) and include sensible guidance about date resolution and CLI usage. They do instruct the agent (or user) to run commands that will clone a repo, build a binary, and perform OAuth flows that open a browser. The instructions reference storing tokens in ~/.config/oura-cli/config.json; while that is needed for the CLI, it means the agent or user must allow creation and reading of a config file containing tokens.
There is no formal install spec in the registry (skill is instruction-only). The SKILL.md directs cloning code from GitHub and running go build — a reasonable approach for this integration, but it results in downloading and executing code from an external repository. That is expected for this purpose but increases risk because the built binary will run locally and could perform arbitrary actions.
The runtime requires OURA_CLIENT_ID and OURA_CLIENT_SECRET and writes OAuth tokens to ~/.config/oura-cli/config.json, which is proportionate to accessing the Oura API. However, the skill metadata declares no required environment variables or config paths — this omission is a red flag (the skill will need secrets and to store tokens but doesn't declare them). The required secrets themselves are limited to Oura OAuth credentials and not obviously excessive.
The skill does not request always:true and does not attempt to modify other skills' configurations. It will write OAuth tokens to the user's config directory (~/.config/oura-cli/config.json) as part of normal OAuth flows; that is expected for this type of integration but means sensitive tokens are persisted on disk.
Guidance
This skill's instructions are consistent with an Oura CLI integration, but the registry metadata failed to declare the OAuth environment variables and config path that the SKILL.md requires. Before installing or running this skill: (1) review the referenced GitHub repository (https://github.com/ruhrpotter/oura-cli) to ensure you trust the source and inspect what the binary does; (2) be aware you'll need to create an Oura OAuth app and provide OURA_CLIENT_ID and OURA_CLIENT_SECRET — keep these secrets secure; (3) OAuth tokens will be stored at ~/.config/oura-cli/config.json, so consider where that file is written and who/what can read it; (4) prefer running the build and auth steps in a controlled environment (or container) until you vet the code; (5) if you don't want to build/run external binaries, ask for an official or platform-managed Oura integration instead. If the publisher can update the registry metadata to declare the required env vars and config path, that would reduce the incoherence and raise confidence.
Latest Release
v1.0.2
Added installation instructions (git clone, go build, OAuth setup)
Popular Skills
Published by @ruhrpotter on ClawHub
