garmin-ultimate-frisbee-analysis
v1.0.0Analyzes Garmin Ultimate Frisbee data to generate interactive HTML dashboards on sprints, fatigue, heart rate, training load, and season trends for performan...
⭐ 0· 132·0 current·0 all-time
byEvelyn@evelyndevelops
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
Name/description, required libraries (garminconnect, fitparse, gpxpy), and the scripts all focus on fetching Garmin Connect data, parsing FIT/GPX files, and generating HTML dashboards — the credentials requested (GARMIN_EMAIL, GARMIN_PASSWORD) are appropriate for the python-garminconnect SSO flow used by the code.
Instruction Scope
SKILL.md and scripts instruct the agent/user to set GARMIN_EMAIL/PASSWORD, run an authentication step that stores a session token under ~/.clawdbot/garmin/, and then run data-export and charting scripts. The instructions stay within the declared purpose (fetching and analyzing Garmin data). One caution: the auth helper (scripts/garmin_auth.py) was not shown in full here — verify that it truly only interacts with Garmin endpoints and that it does not transmit credentials or collected data to other external endpoints.
Install Mechanism
There is no registry install spec listed, but the repo includes install instructions and an install.sh that runs pip3 install -r requirements.txt. Installing via pip from PyPI (garminconnect, fitparse, gpxpy) is expected for this functionality, but pip installs execute package code on install — review dependencies and run installation in an isolated environment (virtualenv) where possible. Minor inconsistency: registry metadata claimed 'No install spec' while SKILL.md contains an 'install' section and metadata.install entries.
Credentials
The only required secrets are GARMIN_EMAIL and GARMIN_PASSWORD, which are proportionate to authenticating with Garmin Connect via the python-garminconnect library. These are sensitive credentials: confirm the auth code stores only session tokens (as documented) and does not log or exfiltrate the password. Consider using a dedicated Garmin account or revoking sessions if you stop using the skill.
Persistence & Privilege
always is false and the skill does not request system-wide privileges. It stores session tokens under its own path (~/.clawdbot/garmin/) which is a reasonable local persistence mechanism for a connector. Autonomous invocation is enabled (platform default); that increases blast radius for any bug/malicious behavior, but there is no evidence here that the skill misuses that power.
Assessment
This skill appears coherent for its stated purpose, but take these precautions before installing: 1) Inspect scripts/garmin_auth.py to confirm it only talks to Garmin endpoints and that it stores tokens safely (no remote exfiltration). 2) Install dependencies inside a virtualenv or isolated environment (pip runs package install scripts). 3) Consider using a dedicated Garmin account or be prepared to revoke sessions/credentials if you stop using the skill. 4) Review install.sh and the SKILL.md metadata.install (the registry listed 'no install spec' but the repo includes install instructions). If you are comfortable with those checks, the skill looks appropriate for use.Like a lobster shell, security has layers — review code before you run it.
latestvk97ch55wxpfrrkv6rye4f29e15831drs
License
MIT-0
Free to use, modify, and redistribute. No attribution required.