ClawHub

Garmin Connect Health

v1.0.8

Fetch health and fitness data from Garmin Connect -- 40+ metrics including sleep, HRV, stress, body battery, SpO2, VO2 Max, training status, and activities....

0· 150·0 current·0 all-time
by@dw1161
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description promise (fetch Garmin Connect health data) matches what's implemented: a Python script that uses the python-garminconnect library to authenticate, read many health metrics, and write JSON snapshots. Required credential handling (env vars, CLI, keychain, or local file) is appropriate for this purpose.
Instruction Scope
SKILL.md and the script restrict activity to authenticating with Garmin Connect, calling Garmin endpoints, and saving JSON under ~/.garmin_health and token cache under ~/.garminconnect. The script calls the macOS 'security' tool when available to read keychain entries (expected) and reads a local credentials file if present. Instructions do not direct data to third-party endpoints.
Install Mechanism
No custom install spec; user is instructed to pip install the well-known python-garminconnect package. No downloads from arbitrary URLs or archive extraction; installation method is standard for a Python script.
Credentials
The skill legitimately needs Garmin credentials (env vars / CLI / keychain / file) and a small set of optional env vars (GARMIN_IS_CN, GARMIN_DATA_DIR, GARMIN_TOKENSTORE). One minor metadata mismatch: the registry primary credential field is 'none' while the skill in practice needs your Garmin account credentials—this is expected for operation but worth noting.
Persistence & Privilege
The skill does persist data locally (JSON snapshots) and caches OAuth tokens in ~/.garminconnect; this is coherent with its function. It does not request system-wide persistence (always:true) nor modify other skills' configurations. It uses subprocess to call the macOS 'security' command when available (expected for keychain access).
Assessment
This skill appears to do what it says, but it requires your Garmin account credentials and will cache an OAuth token and JSON files in your home directory. Before installing: - Prefer macOS Keychain (or other secure secrets manager) over passing --password on the CLI or saving passwords in a file. - If you use ~/.garmin_credentials, set strict permissions (chmod 600). - Be aware tokens are cached under ~/.garminconnect; delete them if you want to revoke local access. - Review the python-garminconnect dependency source (or vendor it) if you don't already trust it. - Note the minor metadata mismatch: the registry lists no primary credential while the skill does require your Garmin login to function. - If you allow autonomous agent invocation, the agent may call this skill and access your cached data; consider that when granting agent permissions.

Like a lobster shell, security has layers — review code before you run it.

latestvk974j40zwzygj4d7zqpcbja2mx83nvvn

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments