oura-analytics
Pass
Audited by Gen Agent Trust Hub on Mar 22, 2026
Risk Level: SAFE
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill communicates with the official Oura Cloud API (
api.ouraring.com) to retrieve user health data and the official Telegram Bot API (api.telegram.org) to send automated alerts. Both are well-known technology services and are used appropriately for the skill's stated purpose. - [CREDENTIALS_UNSAFE]: API tokens for Oura and Telegram are managed securely via environment variables (
OURA_API_TOKEN,TELEGRAM_BOT_TOKEN). No hardcoded secrets or credentials were found in the source code or configuration templates. - [DATA_EXFILTRATION]: No unauthorized data exfiltration was detected. Sensitive health metrics are stored locally in the user's home directory (
~/.oura-analytics/) for caching or sent to a user-configured Telegram chat. The skill explicitly documents its data handling and privacy controls inSECURITY.md. - [COMMAND_EXECUTION]: Local Python scripts are used for data processing and report generation. The implementation uses standard libraries and does not include patterns for arbitrary command execution or shell injection.
- [SAFE]: The skill follows security best practices, including data ownership (local storage), clear documentation on how to clear/export data, and the absence of dynamic execution or obfuscated code.
Audit Metadata