ClawHub

Garmin Connect Health

Security checks across malware telemetry and agentic risk

Overview

This skill does what it claims: it fetches Garmin health data using the user’s account and stores it locally, with privacy risks that are disclosed enough for installation guidance rather than a Review hold.

Install only on a private machine/account you trust with health data. Prefer macOS Keychain or a chmod 600 credentials file over command-line passwords, keep GARMIN_DATA_DIR and GARMIN_TOKENSTORE in private directories, and periodically delete cached JSON/SQLite/token files if you no longer want local health history retained.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (6)

Tainted flow: 'cache_file' from os.environ.get (line 409, credential/environment) → open (file write)

Medium
Category
Data Flow
Content
p(f"  本周运动: 中强度 {result.get('weekly_moderate_minutes')}min  高强度 {result.get('weekly_vigorous_minutes')}min / 目标 {result.get('weekly_intensity_goal')}min")

    # ── 保存 JSON ──────────────────────────────
    with open(cache_file, "w", encoding="utf-8") as f:
        json.dump(result, f, ensure_ascii=False, indent=2)

    if target_date == str(date.today()):
Confidence
81% confidence
Finding
with open(cache_file, "w", encoding="utf-8") as f:

Tainted flow: 'latest_file' from os.environ.get (line 753, credential/environment) → open (file write)

Medium
Category
Data Flow
Content
if target_date == str(date.today()):
        latest_file = os.path.join(DATA_DIR, "latest.json")
        with open(latest_file, "w", encoding="utf-8") as f:
            json.dump(result, f, ensure_ascii=False, indent=2)

    # ── 写入 SQLite daily_summary ──────────────
Confidence
81% confidence
Finding
with open(latest_file, "w", encoding="utf-8") as f:

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The README tells users to place Garmin credentials directly into shell environment variables in plaintext, but does not warn that these values may be exposed through shell history, process inspection, screenshots, shared terminal sessions, CI logs, or inherited environments. Because the skill handles sensitive health-account access, encouraging the least secure credential path increases the chance of account compromise and privacy loss.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The example triggers such as 'Show my health data' and similar natural-language phrases are broad enough to overlap with ordinary user requests. In an agent environment, this can cause accidental invocation of a credentialed skill that fetches and stores sensitive health information when the user may have intended a general discussion rather than execution.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The script fetches and persists extensive sensitive health information including sleep, heart rate timelines, stress, body battery, weight, and activity details into local JSON and SQLite files by default. There is no explicit consent prompt, retention control, encryption, or strong permission enforcement, which raises material privacy risk if run on shared systems, agent hosts, or machines with backups/logging that expose home-directory contents.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The manifest explicitly states that daily health snapshots and OAuth tokens are stored locally, but it does not warn users that this data is privacy-sensitive or describe expected protections such as file permissions, encryption, or retention controls. Because the skill handles health metrics and authentication artifacts, silent local retention increases the risk of unintended disclosure on shared or compromised systems.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal