Garmin Health Analysis
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: garmin-health-analysis Version: 1.2.2 The OpenClaw skill 'garmin-health-analysis' is designed to fetch, analyze, and visualize personal health data from Garmin Connect. All code and documentation align with this stated purpose. Sensitive Garmin credentials are handled by storing session tokens locally in `~/.clawdbot/garmin` with secure permissions (0o700), and all network interactions are directed solely to Garmin's official API via the `garminconnect` library. There is no evidence of data exfiltration to unauthorized endpoints, malicious execution, persistence mechanisms, or prompt injection attempts against the agent that would lead to harmful behavior beyond the skill's stated scope. The instructions for the AI agent in `SKILL.md` and `references/health_analysis.md` are clear and guide the agent in performing legitimate health data analysis and reporting.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Enabling the skill gives it access to detailed Garmin account information such as sleep, heart rate, activities, profile data, and routes.
The skill needs Garmin login credentials and persists an authenticated session so it can read Garmin account data.
"env":["GARMIN_EMAIL","GARMIN_PASSWORD"] ... "Session tokens are stored in `~/.clawdbot/garmin-tokens.json` and auto-refresh."
Use it only if you are comfortable granting Garmin account access; protect any config or token files, avoid passing passwords on the command line when possible, and revoke or rotate credentials if you uninstall it.
Installing dependencies this way can change the local Python environment and relies on the current PyPI packages for Garmin, FIT, and GPX parsing.
The installer pulls unpinned Python dependencies and may fall back to modifying the system Python environment.
pip3 install --user garminconnect fitparse gpxpy ... pip3 install --break-system-packages garminconnect fitparse gpxpy
Prefer a virtual environment or user-level install, review the dependency sources, and avoid the system-package fallback unless you understand the impact.
Downloaded FIT/GPX/TCX files may contain private GPS routes and workout health data that remain on disk after analysis.
The skill can export Garmin activity files containing route and fitness details to local files, defaulting to /tmp.
def download_activity_file(client, activity_id, file_format="fit", output_dir="/tmp") ... with open(output_path, 'wb') as f: f.write(data)
Save activity files to a private directory when possible and delete exported files when you no longer need them.