Dexcom CGM
ReviewAudited by ClawScan on May 1, 2026.
Overview
This skill appears to do what it says—fetch Dexcom glucose readings—but it handles Dexcom login credentials and sensitive health data.
This skill is coherent and purpose-aligned. Before installing, make sure you trust the environment where Dexcom credentials will be stored, understand that glucose readings may appear in agent output or logs, and consider pinning or reviewing the Python dependencies if you need stronger supply-chain assurance.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone or any agent context with access to these environment variables or config values could retrieve current Dexcom glucose readings.
The skill requires Dexcom account credentials to retrieve glucose data. This is expected for the stated Dexcom monitoring purpose, but it gives the skill access to a sensitive health account.
export DEXCOM_USER="your@email.com" export DEXCOM_PASSWORD="your-password"
Use this only in trusted environments, protect the credentials, and avoid storing the password in shared or insecure configuration files.
A future or unexpected dependency version could change how credentials or glucose data are handled.
The skill relies on external Python packages without pinned versions. This is normal for a small integration script, but those packages are part of the credential-handling path.
dependencies = ["pydexcom", "fire"]
Prefer pinned dependency versions or a reviewed lockfile for higher assurance, especially because Dexcom credentials are involved.
Glucose readings may become visible in conversation history, logs, or downstream summaries depending on how the agent environment stores outputs.
The skill can output raw glucose readings, including value, trend, and timestamp, into the agent or chat context. This is purpose-aligned but sensitive medical information.
print(json.dumps(get_reading(), indent=2, sort_keys=True))
Invoke the skill only where you are comfortable exposing the current glucose reading, and avoid unnecessary raw JSON output in shared contexts.