ClawHub

ClawHealth Garmin

v0.1.7

Lightweight Garmin Connect skill that uses the clawhealth Python package to sync health data into local SQLite and expose JSON-friendly commands for OpenClaw.

0· 125·1 current·1 all-time
by@ernestyu
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description match required env vars and binaries: Garmin username/password file, DB and config paths, and python. The skill delegates to a clawhealth CLI installed from PyPI which is coherent for a Garmin-sync skill.
Instruction Scope
Runtime instructions and code only load a simple .env, set default paths, resolve relative paths, and call the installed 'clawhealth' CLI. One minor inconsistency across docs: SKILL.md/manifest state the package is installed from PyPI, while README mentions fetching src from GitHub at runtime — this should be clarified but is not necessarily malicious. The scripts do not read unrelated system files or exfiltrate data themselves.
Install Mechanism
bootstrap_deps.py creates a local virtualenv and pip-installs the published 'clawhealth' package from PyPI — a standard pattern. This is moderate-risk in general (installing third-party packages), but appropriate for the stated purpose. No downloads from untrusted URLs or URL shorteners are present.
Credentials
Requested env vars (username, password file, DB, config dir) are proportional and expected. The code prefers password files and keeps defaults scoped to the skill folder. No unrelated credential variables are requested.
Persistence & Privilege
Skill is not marked always:true and does not modify other skills or system settings. It stores configs and DB under the skill directory as expected.
Assessment
This skill appears to do what it claims: it installs the 'clawhealth' package into a local .venv, reads your Garmin credentials (recommended via a local password file), and runs the clawhealth CLI to sync data into a local SQLite DB. Before installing, confirm you trust the 'clawhealth' package on PyPI (and the referenced GitHub repo) because pip-installed packages execute code on install and at runtime. Use a password file (chmod 600) and keep .env/DB out of version control. If you need extra assurance, inspect the installed 'clawhealth' package source (or vendor it) and run the skill in an isolated environment/container. Also ask the publisher to clarify the README discrepancy about whether source is fetched from GitHub at runtime.

Like a lobster shell, security has layers — review code before you run it.

clivk97fhdhc3qevqykvbegy0cztb1833kp8garminvk97fhdhc3qevqykvbegy0cztb1833kp8healthvk97fhdhc3qevqykvbegy0cztb1833kp8latestvk97f5xqxffs6hzb73pgmtgv6fs837et3sqlitevk97fhdhc3qevqykvbegy0cztb1833kp8

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Binspython3
Any binpython
EnvCLAWHEALTH_GARMIN_USERNAME, CLAWHEALTH_GARMIN_PASSWORD_FILE, CLAWHEALTH_DB, CLAWHEALTH_CONFIG_DIR

Comments