ClawHub

Garmin Connect Pro

Security checks across malware telemetry and agentic risk

Overview

This Garmin skill accesses sensitive fitness data and uses local authentication files, but its behavior is disclosed, purpose-aligned, and user-directed.

Install only if you are comfortable giving the skill access to Garmin health, activity, profile, device, and possibly location data. Prefer environment variables or a system secret store over the plaintext credentials.json fallback, protect the token directory, avoid broad JSON exports unless needed, and remove cron jobs and saved tokens when you stop using it.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Rogue AgentSelf-Modification, Session Persistence
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (10)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill documentation indicates capabilities to read environment variables, write credential/token files, and invoke shell commands, yet no explicit permissions are declared. This creates a transparency and least-privilege problem: users may grant or run the skill without understanding that it handles secrets and filesystem state. In a credential-handling skill, missing permission declarations materially increase risk because the behavior is sensitive even if expected for the feature set.

Tp4

High
Category
MCP Tool Poisoning
Confidence
84% confidence
Finding
The declared description emphasizes fitness-data querying, but the documented behavior extends into credential storage, token persistence, account/session management, and broader profile/device/export access. That mismatch undermines informed consent and can conceal the full privacy/security exposure of the skill, especially given the breadth of health and account data involved. While much of this may be functionally related, it is still a security-relevant disclosure failure.

Description-Behavior Mismatch

Medium
Confidence
87% confidence
Finding
The skill description presents the tool as a data retrieval/query utility, but the code also persists authentication material locally and later deletes it. This is a real security-relevant behavior because storing credentials and tokens expands the attack surface on the host, especially for a skill handling health-account access.

Description-Behavior Mismatch

Medium
Confidence
83% confidence
Finding
The skill writes downloaded activity exports to local disk even though the description emphasizes querying and viewing Garmin data. Persisting FIT/GPX/TCX files creates additional privacy risk because detailed location and health/activity records remain on the filesystem and may be accessible to other local processes or users.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The login flow stores the user's Garmin email and password in a local JSON file. Even with chmod 0600, plaintext credential persistence is dangerous because any local compromise, backup leak, container volume exposure, or accidental file sharing can expose credentials for a sensitive health account.

Credential Access

High
Category
Privilege Escalation
Content
required: false
          secret: true
      files:
        - path: ~/.config/garmin-connect/credentials.json
          description: "Fallback: Credentials file if env vars not set. WARNING: Plaintext - use env vars instead."
          required: false
          permissions: "600"
Confidence
97% confidence
Finding
credentials.json

Credential Access

High
Category
Privilege Escalation
Content
# Option B: Use credentials file
mkdir -p ~/.config/garmin-connect
echo '{"email": "your-email@example.com", "password": "your-password"}' > ~/.config/garmin-connect/credentials.json
chmod 600 ~/.config/garmin-connect/credentials.json

# Login (generates OAuth tokens)
Confidence
98% confidence
Finding
credentials.json

Credential Access

High
Category
Privilege Escalation
Content
# Option B: Use credentials file
mkdir -p ~/.config/garmin-connect
echo '{"email": "your-email@example.com", "password": "your-password"}' > ~/.config/garmin-connect/credentials.json
chmod 600 ~/.config/garmin-connect/credentials.json

# Login (generates OAuth tokens)
python3 ~/.agents/skills/garmin-connect-pro/scripts/garmin.py login
Confidence
94% confidence
Finding
credentials.json

Credential Access

High
Category
Privilege Escalation
Content
},
      "files": [
        {
          "path": "~/.config/garmin-connect/credentials.json",
          "description": "Garmin Connect login credentials (email + password). Used if env vars not set.",
          "required": false,
          "permissions": "600",
Confidence
93% confidence
Finding
credentials.json

Session Persistence

Medium
Category
Rogue Agent
Content
**Option 2: Credentials File**
```bash
mkdir -p ~/.config/garmin-connect
echo '{"email": "your-email@example.com", "password": "your-password"}' > ~/.config/garmin-connect/credentials.json
chmod 600 ~/.config/garmin-connect/credentials.json
```
Confidence
89% confidence
Finding
mkdir -p ~/.config/garmin-connect echo '{"email": "your-email@example.com", "password": "your-password"}' > ~/.config/garmin-connect/credentials.json chmod 600 ~/.config/garmin-connect/credentials.jso

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal