Garmin Connect CLI
ReviewAudited by ClawScan on May 10, 2026.
Overview
This Garmin CLI skill is purpose-aligned, but it can access Garmin account health data and documents forced account-data deletion without clear confirmation guardrails.
Review carefully before installing. This skill is a normal Garmin Connect CLI wrapper, but it can access sensitive health and activity data and perform account-changing actions. Only use destructive commands after confirming the exact target, and treat any exported Garmin tokens as passwords.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If invoked on the wrong activity ID, the agent could delete Garmin activity data without a final Garmin CLI confirmation.
This is a destructive Garmin account-data operation, and the documented form uses `--force`, which can bypass the CLI's normal confirmation prompt. The artifact does not add a compensating instruction to confirm the exact activity with the user before running it.
Delete activity: `gccli activity delete <id> --force`
Require explicit user confirmation for delete, upload, schedule, and profile-changing commands; avoid `--force` by default unless the user has confirmed the exact target and consequence.
The agent may be able to read Garmin health/activity data and, if asked to export tokens, expose credentials that could be reused elsewhere.
The skill needs Garmin account authentication and can display/export reusable credential material. This is purpose-aligned for a Garmin CLI, but it is sensitive account access.
Requires Garmin SSO authentication. ... Auth token (for scripting): `gccli auth token` ... Export credentials: `gccli auth export`
Use this only with a Garmin account you intend the agent to access, do not share exported tokens, and remove or revoke credentials when no longer needed.
Security depends on the upstream Homebrew formula and `gccli` binary/source.
The skill installs and relies on an external Homebrew tap binary. That is expected for this CLI wrapper, but the submitted skill package contains no code files for this scan to inspect.
brew | formula: bpauli/tap/gccli | creates binaries: gccli
Install from the expected upstream project, review the Homebrew tap/source if appropriate, and keep the binary updated.