Access Oura Ring health data using the ouracli CLI tool. Use when user asks about "oura data", "sleep stats", "activity data", "heart rate", "readiness score", "stress levels", or wants health metrics from their Oura Ring.
Security Analysis
high confidenceThe skill's instructions say it needs an Oura personal access token and the ouracli CLI, but the package metadata does not declare those requirements and there are code files present without an install spec — the pieces don't line up.
The SKILL.md clearly describes running the ouracli CLI and requires a PERSONAL_ACCESS_TOKEN, which is coherent with the described purpose. However, the registry metadata lists no required binaries and no required environment variables, which under-declares the actual needs. The presence of packaged ouracli source files but no install instructions increases the mismatch.
Instructions explicitly tell the agent to run ouracli via Bash and to check for a PERSONAL_ACCESS_TOKEN stored in secrets/oura.env or ~/.secrets/oura.env. That means the agent will be expected to read local secret files and run shell commands — appropriate for a CLI but sensitive. The SKILL.md does not instruct any unrelated data access, but it does assume and require access to local secret paths that the metadata does not declare.
No install spec is provided (instruction-only), yet the skill bundle contains full ouracli source files and tests. Either the skill expects ouracli to already be on PATH or the package forgot to include installation steps. This is an inconsistency and may cause runtime failures or unexpected behavior if the environment differs from the author's assumptions.
The SKILL.md requires a PERSONAL_ACCESS_TOKEN (from secrets/oura.env or ~/.secrets/oura.env), which is proportionate to accessing the Oura API. But the declared requirements list no environment variables and no primary credential — the credential requirement is missing from metadata. Asking the agent to read local secret files is sensitive and should be explicitly declared.
No 'always: true' or other elevated persistence flags are set, and model invocation flags are default. The skill does not request permanent inclusion or explicit autonomous invocation privileges beyond the platform defaults.
Guidance
This skill's README/instructions require the ouracli CLI and an Oura PERSONAL_ACCESS_TOKEN stored in a secrets file, but the registry metadata doesn't declare those needs and there is no install step. Before installing or enabling it: (1) confirm how ouracli is expected to be provided (is it preinstalled or should the package install it?), (2) do not place your token in a plaintext file unless you trust the environment — prefer supplying a token through the platform's secure secret mechanism, (3) ask the publisher to update metadata to list PERSONAL_ACCESS_TOKEN as a required credential and to add a clear install spec, and (4) review the included source (client.py) to verify network behavior and that no unexpected data exfiltration occurs. If you cannot verify these things, treat the skill as untrusted.
Latest Release
v0.1.0
Initial release of Oura Ring data integration via the ouracli CLI tool. - Retrieve Oura Ring health data (activity, sleep, readiness, heart rate, etc.) using simple Bash commands. - Detailed instructions and examples for specifying date ranges (single date, relative ranges, or date + duration). - Emphasis on correct date range syntax—use quoted date/duration, not separate dates or "to" syntax. - Guidance on output formats: always use `--json` for reliable data analysis. - Critical authentication requirements and troubleshooting included. - Quick reference table for common data queries.
More by @visionik
Published by @visionik on ClawHub
