Trust Assessment
oura-ring received a trust score of 64/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 6 findings: 0 critical, 0 high, 5 medium, and 1 low severity. Key findings include Suspicious import: requests, Unpinned Python dependency version, Hardcoded absolute path for environment file.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings6
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| MEDIUM | Suspicious import: requests Import of 'requests' detected. This module provides network or low-level system access. Verify this import is necessary. Network and system modules in skill code may indicate data exfiltration. | Static | skills/sameerbajaj/oura-ring-skill/cli.py:27 | |
| MEDIUM | Unpinned Python dependency version Requirement 'requests>=2.31.0' is not pinned to an exact version. Pin Python dependencies with '==<exact version>'. | Dependencies | skills/sameerbajaj/oura-ring-skill/requirements.txt:1 | |
| MEDIUM | Unpinned Python dependency version Requirement 'python-dotenv>=1.0.0' is not pinned to an exact version. Pin Python dependencies with '==<exact version>'. | Dependencies | skills/sameerbajaj/oura-ring-skill/requirements.txt:2 | |
| MEDIUM | Hardcoded absolute path for environment file The `probe_v2.py` and `probe_v2_sessions.py` scripts use a hardcoded absolute path (`/Users/sameerbajaj/clawd/skills/oura-ring/.env`) to load environment variables. This practice is problematic as it assumes a specific host filesystem structure, making the skill less portable and potentially leading to errors in different environments. While the path points to the skill's own `.env` file, relying on an absolute path rather than a relative path or `python-dotenv`'s `find_dotenv()` function implies an expectation of specific host system knowledge and could be interpreted as an attempt to access files outside of a relative sandbox. Replace the hardcoded absolute path with a relative path (e.g., `load_dotenv(os.path.join(os.path.dirname(__file__), ".", ".env"))`) or use `dotenv.find_dotenv()` to locate the `.env` file dynamically. | LLM | probe_v2.py:7 | |
| MEDIUM | Hardcoded absolute path for environment file The `probe_v2.py` and `probe_v2_sessions.py` scripts use a hardcoded absolute path (`/Users/sameerbajaj/clawd/skills/oura-ring/.env`) to load environment variables. This practice is problematic as it assumes a specific host filesystem structure, making the skill less portable and potentially leading to errors in different environments. While the path points to the skill's own `.env` file, relying on an absolute path rather than a relative path or `python-dotenv`'s `find_dotenv()` function implies an expectation of specific host system knowledge and could be interpreted as an attempt to access files outside of a relative sandbox. Replace the hardcoded absolute path with a relative path (e.g., `load_dotenv(os.path.join(os.path.dirname(__file__), ".", ".env"))`) or use `dotenv.find_dotenv()` to locate the `.env` file dynamically. | LLM | probe_v2_sessions.py:7 | |
| LOW | Unpinned dependencies in requirements.txt The `requirements.txt` file specifies minimum versions for `requests` and `python-dotenv` (e.g., `requests>=2.31.0`, `python-dotenv>=1.0.0`) rather than exact versions. This can lead to non-deterministic builds and potential compatibility issues or unexpected behavior if newer versions introduce breaking changes or unpatched vulnerabilities. While not a direct exploit, it increases the risk of supply chain issues. Pin dependencies to exact versions (e.g., `requests==2.31.0`) to ensure reproducible and secure environments. Consider using a lock file (e.g., `pip freeze > requirements.lock`) for production deployments. | LLM | requirements.txt:1 |
Scan History
Embed Code
[](https://skillshield.io/report/4e3d667b3ca7fdc4)
Powered by SkillShield