garmin-ultimate-frisbee-analysis

Security checks across malware telemetry and agentic risk

Overview

This skill matches its Garmin fitness-analysis purpose, but it needs review because it asks users to handle real account credentials and stores/prints sensitive health and GPS data with weak safeguards.

Install only if you trust this skill with your Garmin account, health metrics, and activity location history. Do not save GARMIN_PASSWORD in ~/.zshrc or ~/.bashrc and avoid passing it with --password; use a short-lived environment value for login, then remove it. Protect ~/.clawdbot/garmin and any generated HTML, FIT, GPX, or TCX files, and be aware dashboards load Chart.js from cdn.jsdelivr.net when viewed.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (12)

Context-Inappropriate Capability

Medium

Confidence: 92% confidence
Finding: The function writes attacker-influenced HTML and immediately opens it in the user's default browser, while the generated page loads JavaScript from external CDNs. This creates an unnecessary side effect that can leak user metadata/IP to third parties and, if any untrusted fields are embedded into the HTML without escaping, can turn dashboard generation into local HTML/JavaScript execution in the browser context.

Context-Inappropriate Capability

Medium

Confidence: 96% confidence
Finding: Automatically launching the generated report causes browser execution as a side effect of file generation, which is risky in an agent/tool context because the caller may expect a pure file-writing operation. Since the HTML includes multiple unescaped values from the input data, opening it immediately can trigger script execution or unsafe rendering if the input is maliciously crafted.

Context-Inappropriate Capability

Medium

Confidence: 90% confidence
Finding: The activity dashboard depends on externally hosted JavaScript libraries, so opening the report causes network requests to third-party CDNs even though the artifact is ostensibly a local HTML report. In privacy-sensitive or sandboxed environments this can leak usage information and introduces supply-chain risk if the CDN resource is tampered with or unavailable.

Context-Inappropriate Capability

Medium

Confidence: 96% confidence
Finding: This helper auto-opens the generated activity report in the browser, which means any unsafe HTML/JavaScript embedded from analysis data is immediately rendered. In an agent skill, that behavior expands the trust boundary from local file creation to active browser execution without explicit approval from the caller.

Intent-Code Divergence

Medium

Confidence: 92% confidence
Finding: The module docstring claims the script fetches health data, but the implementation also supports retrieving profile information including name and email. This mismatch increases the risk of unanticipated collection and downstream exposure of personally identifiable information, especially because all results are emitted to stdout for agent consumption.

Context-Inappropriate Capability

Medium

Confidence: 89% confidence
Finding: The script contains a profile retrieval path that returns full name, display name, and email even though the stated purpose is health-data access. In an agent skill context, adding unnecessary PII collection broadens the data exposure surface and can enable privacy violations if the agent requests or logs this information without user understanding.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The installer explicitly recommends exporting GARMIN_EMAIL and GARMIN_PASSWORD and adding them to ~/.zshrc or ~/.bashrc, which causes long-lived plaintext credentials to be stored in shell startup files. Those files are often broadly readable to the local user, may be backed up, synced, or exposed through shell history/config sharing, increasing the chance of credential leakage beyond the immediate session.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The documentation instructs users to authenticate with an email/password and explicitly save OAuth tokens for session reuse, but it does not warn that these credentials and tokens are sensitive secrets that must be protected. In the context of an unofficial reverse-engineered API, mishandling stored tokens or credentials could expose a user's Garmin account and personal health/activity data, especially if copied into scripts, logs, or insecure local files.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The script aggregates highly sensitive health data including sleep, HRV, body battery, and intraday heart rate, then emits it as raw JSON or renders it into an HTML dashboard without any privacy notice, consent prompt, minimization, or output protection. This creates a real privacy exposure because the data can be written to disk, displayed in a browser, or redirected elsewhere, potentially disclosing medical-adjacent information about the user or tournament participants.

Missing User Warnings

Medium

Confidence: 85% confidence
Finding: The script downloads and writes Garmin activity files containing sensitive GPS/location and fitness data directly to disk, defaulting to /tmp, without any warning, consent prompt, restrictive permissions, or data minimization. In an agent/skill context, silently persisting precise activity traces increases the chance of unintended disclosure through other local users, processes, logs, backups, or later reuse of the file.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The script accepts the Garmin password via a command-line argument, which can expose the secret through shell history, process listings, audit logs, or job runner telemetry on multi-user systems. In an authentication helper that handles real account credentials and persists session tokens, this increases the chance of credential theft beyond the intended local use.

Missing User Warnings

Medium

Confidence: 87% confidence
Finding: This script retrieves sensitive health metrics and can also output profile data directly to stdout, but provides no meaningful privacy notice, consent flow, or output-scope warning. In an agent environment, stdout is commonly captured, logged, or forwarded, making silent disclosure of health and identity data more dangerous than in a purely local CLI utility.

VirusTotal

60/60 vendors flagged this skill as clean.

View on VirusTotal