← 返回 Skills 市场
879
总下载
2
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install oura-cli
功能描述
Retrieve health and biometric data from your Oura Ring via CLI commands for sleep, activity, readiness, heart rate, and more using specified dates.
安全使用建议
What to consider before installing or running this skill:
- The bundled code is a normal Oura CLI: it uses OAuth and will store your Client ID/Secret and tokens in ~/.config/oura-cli/config.json. If you run it, expect local persistent storage of credentials and tokens.
- The registry metadata omitted required env vars and an install/build step. Before running any binary, either build the included source locally (go build ./cmd/oura) or inspect the code yourself. Do not run an unreviewed prebuilt binary.
- The auth flow starts a temporary HTTP server on localhost:8080 to receive the OAuth callback; that can interfere with existing services using that port. If you do authentication, prefer creating a dedicated Oura app with minimal scopes and revoke the app afterwards if you don't trust it.
- If you only want agent-driven answers (without giving real credentials), avoid providing your production Oura client secret. Consider testing with a throwaway account or running the CLI in an isolated environment (container or VM).
- The mismatches (no declared env vars, no install steps) are likely sloppy metadata rather than malicious intent, but they reduce transparency. If you plan to use this skill, inspect the source files provided and confirm you are comfortable with the local config behavior and OAuth scopes before proceeding.
功能分析
Type: OpenClaw Skill
Name: oura-cli
Version: 1.0.0
The skill is classified as suspicious due to a vulnerability in how OAuth tokens are stored. The `internal/config/config.go` file uses `os.Create` to save `config.json`, which by default creates files with world-readable permissions (e.g., 0644 on most systems after umask). This allows other local users on the same system to read the `AccessToken` and `RefreshToken`, potentially leading to unauthorized access to the user's Oura data. While the core functionality is benign and the prompt injection instructions in `SKILL.md` are for legitimate tool usage, this information disclosure vulnerability is a significant security flaw.
能力评估
Purpose & Capability
The code and SKILL.md implement an Oura Ring CLI that queries the Oura V2 API and returns JSON — this matches the expected purpose. There are no unrelated network endpoints or unrelated credentials requested in the source. Functionality (sleep, activity, readiness, heartrate, etc.) aligns with the stated capability.
Instruction Scope
The SKILL.md instructs the agent to run a local binary (./oura) and to resolve dates and parse JSON responses — that stays within the Oura-CLI purpose. However, invoking the CLI will read/write the user's config at the standard config directory (~/.config/oura-cli/config.json) and the auth flow starts a local HTTP server on port 8080 to receive OAuth callbacks. The SKILL.md does not explicitly mention the local server or persistent config file behavior, which is relevant runtime scope.
Install Mechanism
No install spec is provided in the registry (instruction-only), but full Go source files are bundled and the README documents a 'go build' workflow. The SKILL.md assumes a built ./oura binary is present; the absence of an install/build step in metadata is a mismatch but not inherently malicious. Risk is low provided you build/review the included source yourself; running pre-built binaries without inspection would be higher risk.
Credentials
Registry metadata declares no required environment variables, but the code and README legitimately use OURA_CLIENT_ID and OURA_CLIENT_SECRET (and may read them from env or prompt). The tool also stores OAuth tokens and secrets in the user's config directory (~/.config/oura-cli/config.json). The omission of these env requirements and the config path from metadata is an inconsistency that affects sensitive data handling and should be disclosed to users.
Persistence & Privilege
The skill does not request always:true and does not modify other skills or system-wide settings. It does persist its own config (client id/secret, access/refresh tokens) under the user's config directory, and its auth flow opens a local HTTP listener on port 8080 during login — both are normal for an OAuth CLI but worth noting as side effects.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install oura-cli - 安装完成后,直接呼叫该 Skill 的名称或使用
/oura-cli触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
Initial release: Adds CLI integration for Oura Ring biometric data access and querying.
- Enables retrieval of sleep, activity, readiness, heart rate, and more from the Oura API v2 via command-line.
- Supports flexible date range arguments with absolute date resolution for user-friendly queries.
- Returns JSON data, which should be parsed and summarized in natural language.
- Includes extensive data category support (e.g., sleep-details, workout, vo2-max, stress, resilience).
- Notifies users about authentication requirements on auth errors.
- Provides clear usage examples for common queries.
元数据
常见问题
Oura Cli 是什么?
Retrieve health and biometric data from your Oura Ring via CLI commands for sleep, activity, readiness, heart rate, and more using specified dates. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 879 次。
如何安装 Oura Cli?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install oura-cli」即可一键安装,无需额外配置。
Oura Cli 是免费的吗?
是的,Oura Cli 完全免费(开源免费),可自由下载、安装和使用。
Oura Cli 支持哪些平台?
Oura Cli 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Oura Cli?
由 Danielle(@supadoopa)开发并维护,当前版本 v1.0.0。
推荐 Skills