Garmin Connect

This skill appears to do what it says (sync Garmin data), but there are several red flags you should consider before installing: - Do NOT run the auth script with your password on the command line if you can avoid it (they show python3 scripts/garmin-auth.py <email> <password>) — that exposes credentials in shell history and process lists. Prefer a browser-based OAuth flow (garth-cli) if available. - The SKILL.md claims 'OAuth-based (secure, no password storage)' but other parts instruct using username/password and even recommend disabling 2FA — never disable 2FA for convenience. This contradiction is a security concern. - requirements.txt is incomplete (the code imports 'garth' but it's not listed). Verify and install dependencies explicitly, and inspect the 'garth' and 'garminconnect' packages before trusting them. - The code contains developer hard-coded paths and sample emails (e.g., /home/mamotec, moritz.vogt@vogges.de). Review and edit scripts to use Path.home() and your own account details before running. - The session file (~/.garth/session.json) and the cache (~/.clawdbot/.garmin-cache.json) store tokens/data locally; ensure those files have proper filesystem permissions and are kept private. If you want to proceed safely: review the garth package source (or use an officially supported Garmin OAuth flow), avoid passing passwords on command lines, restore 2FA on your account, and run the code in an isolated environment (VM or container) until you're comfortable. If you need, ask the author to remove hard-coded paths and provide a documented, browser-based OAuth installer that does not recommend disabling 2FA.