Skillv0.1.0

ClawScan security

Garmin Trainer · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 11, 2026, 9:09 PM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's requests and runtime instructions are coherent with its stated purpose (building and scheduling Garmin-based training plans), but it relies on a third‑party Homebrew tap and will read/write your Garmin Connect data via the gccli binary — review gccli's provenance and auth/storage behavior before installing.
Guidance: This skill runs the gccli CLI to read and modify your Garmin Connect account (activities, health metrics, scheduled workouts). Before installing: 1) Review the gccli project (https://github.com/bpauli/gccli) and the Homebrew tap to ensure you trust the maintainer. 2) Inspect where gccli stores authentication tokens/credentials on your machine and consider backing up important workouts before use. 3) Note the skill can delete skill-created workouts with --force — if you want interactive control, ask the skill to confirm before removing anything. 4) If you prefer, install and authenticate gccli yourself and run a few gccli commands manually to verify behavior before allowing the skill to run them automatically.

Review Dimensions

Purpose & Capability: okThe skill is an instruction-only wrapper that calls the gccli CLI to read Garmin Connect data, generate workouts, and schedule them on the Garmin calendar. Requiring the gccli binary (installed via Homebrew) is appropriate and proportional to the described functionality.
Instruction Scope: noteSKILL.md instructs the agent to 'pull fresh data' and run many gccli commands that access sensitive health/training data (activities, HRV, sleep, training readiness, events). It also includes commands to remove skill-managed workouts with --force (automatic deletion). These behaviors align with the purpose but will access and modify personal Garmin data — users should be aware it reads and writes account data and can delete entries it created.
Install Mechanism: noteThe install spec uses a Homebrew formula from the third‑party tap bpauli/tap (bpauli/gccli). Homebrew is a common installer, but a non-official tap carries more trust risk than an official core formula or a widely vetted release host. Confirm the tap and formula provenance before installing.
Credentials: noteThe skill declares no required env vars, which is consistent, but it implicitly depends on gccli being authenticated to the user's Garmin account. That authentication/credentials are managed by gccli (not declared here), so the skill will indirectly access sensitive tokens/config files that gccli uses — this is expected, but users should verify where gccli stores credentials and what permissions it has.
Persistence & Privilege: okalways:false (not force-included) and there is no evidence the skill modifies other skills or system-wide settings. It does perform write operations to the user's Garmin account (creating and removing scheduled workouts), which is appropriate for the stated goal but is a privilege the user should accept consciously.