garmin-ultimate-frisbee-analysis
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill mostly matches its Garmin analytics purpose, but it asks for full Garmin credentials and encourages saving the password in shell startup files while also claiming the password is not written to disk.
Only install if you trust this code with your Garmin Connect account and health data. Do not save GARMIN_PASSWORD permanently in ~/.zshrc or ~/.bashrc; set it temporarily for login, protect or periodically remove ~/.clawdbot/garmin session tokens, use a virtual environment for dependencies, and avoid sharing generated HTML dashboards because they can contain sensitive health information.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone or any local process that can read the shell profile could recover the Garmin password and access the account and health data.
The skill asks the user to place a full Garmin account password in a persistent shell startup file, even though the password is only needed for authentication.
Set `GARMIN_EMAIL` and `GARMIN_PASSWORD` in your shell profile (`~/.zshrc` or `~/.bashrc`): ... export GARMIN_PASSWORD="your-password"
Avoid persisting the password in shell profiles; set it temporarily only for login, remove it afterward, and prefer an interactive prompt or OS credential store.
A user could follow the setup believing their password is not on disk, when the suggested configuration does put it on disk.
The privacy wording may lead users to believe the password will not be stored, while the setup guidance instructs them to store it in a shell profile.
The password is used **once** during login and is **never written to disk or logged** ... Set `GARMIN_EMAIL` and `GARMIN_PASSWORD` in your shell profile
Update the documentation to clearly distinguish script behavior from user-managed environment storage and provide a safer non-persistent credential setup.
Installing later dependency versions could introduce unexpected bugs or security changes.
The dependencies are minimum-version ranges, not exact pins, so future package releases could change behavior despite documentation describing them as pinned.
garminconnect>=0.2.19 fitparse>=3.2.0 gpxpy>=1.3.5
Use exact pinned versions or hashes, ideally in a virtual environment, before providing Garmin credentials.
If the CDN script were compromised or replaced, it could access data embedded in the dashboard when opened.
Generated dashboards embed Garmin-derived data and load a third-party JavaScript library from a CDN; this is disclosed and purpose-aligned, but the remote script runs in the dashboard page.
<script src="https://cdn.jsdelivr.net/npm/chart.js@4.4.0/dist/chart.umd.min.js"></script> ... const chartsData = {json.dumps(charts_data)};For sensitive health dashboards, consider bundling Chart.js locally, using subresource integrity, or opening dashboards only in trusted environments.