Back to skill

Security audit

Garmin Health Analysis

Security checks across malware telemetry and agentic risk

Overview

This Garmin skill appears purpose-built rather than malicious, but it handles very sensitive health, location, and account data with weak containment in a few places.

Install only on a trusted personal machine. Treat Garmin credentials, config.json, session tokens, generated charts, stdout logs, and downloaded FIT/GPX/TCX files as sensitive because they can reveal health metrics, routines, and precise locations. Prefer UI-managed secrets or a local secret store over command-line passwords, delete downloaded activity files when done, and configure the agent to use this skill only for explicit Garmin-related requests.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (12)

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill clearly requires sensitive environment variables, reads and writes local files, and instructs users to execute shell commands, yet it does not declare permissions explicitly. This creates a transparency and trust problem: users or hosting platforms may not realize the full access scope before installation, increasing the chance of unintended credential exposure or unsafe execution in privileged environments.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The profile path fetches and returns personally identifiable information, including name and email, which is not necessary for core health-metric analysis. Exposing PII through a general-purpose data retrieval script increases privacy risk because downstream agent components, logs, or callers may capture and persist this information without explicit user consent or minimization.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The description uses broad conversational triggers such as natural questions about sleep, heart rate, workouts, and recovery that can overlap with ordinary user dialogue. In agent systems that auto-select skills from freeform text, this can cause over-invocation of a powerful skill that accesses health data, local files, and credentials, exposing sensitive data more often than intended.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The setup documentation asks users to provide Garmin email and password and describes token storage, but it does not present an upfront warning that highly sensitive health data will be transmitted to Garmin and that local credential/token handling is involved. Because this skill processes health metrics and authentication secrets, weak disclosure increases the risk of uninformed consent, unsafe storage practices, and accidental use on shared or insecure machines.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The documentation explicitly shows extracting and reusing OAuth tokens for session persistence but does not warn that these tokens are sensitive secrets equivalent to account access. In a health-analysis skill, compromised Garmin tokens could expose highly sensitive personal fitness and health data and allow unauthorized API access until the tokens expire or are revoked.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
This documentation explicitly enables downloading and analyzing FIT/GPX/TCX activity files containing sensitive health telemetry and precise location data, but it provides no privacy warning, consent guidance, retention limits, or safe-handling expectations. In a health-analysis skill, that omission increases the chance that users or downstream agents expose routes, biometrics, and daily patterns without understanding the sensitivity of the data.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The guide is explicitly framed to be used whenever a user asks about their health, trends, or insights, which creates an overly broad semantic trigger for a skill handling sensitive health data. This can cause unintended invocation on general health questions outside the user's Garmin context, leading to inappropriate medical-style interpretations, privacy overreach, or unsafe advice based on incomplete data.

Missing User Warnings

Medium
Confidence
85% confidence
Finding
The document instructs users to create a local .env file and add credentials, but it does not warn about the sensitivity of those secrets, safe file permissions, or the risk of accidentally committing or exposing them. In a health-data integration context, these credentials can grant access to private Garmin account data and shared authentication tokens, increasing privacy and account-compromise risk.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The code downloads FIT/GPX/TCX files containing highly sensitive location and health telemetry and writes them to local storage by default under /tmp without any user confirmation, warning, retention policy, or permission hardening. In a skill designed to handle personal Garmin data, silent persistence increases the chance of unintended disclosure through other local users, shared environments, backups, logs, or leftover temporary files.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The script explicitly supports loading Garmin credentials from a local plaintext config file and environment variables, and it even recommends those methods to users. Storing long-lived account credentials this way increases the chance of accidental disclosure through source control, backups, process inspection, shell history, logs, or misconfigured host environments, especially given this skill handles sensitive health-related account access.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
This script retrieves sensitive health and profile data from Garmin and prints it directly to stdout as structured JSON, which can be consumed, logged, cached, or exposed by the surrounding agent platform. In an agent skill context, stdout is often an integration boundary rather than a private terminal, so unrestricted emission of sleep, HRV, heart rate, stress, activity, and profile data materially raises confidentiality and privacy exposure.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
This script retrieves highly sensitive health data such as body composition, SPO2, respiration, stress, hydration, and intraday heart-rate data and prints the results directly, but the file contains no explicit user-facing disclosure, consent check, or warning at the point of access. In a skill specifically designed to query Garmin health records, this increases privacy risk because users may not fully understand the breadth and sensitivity of the data being fetched and exposed to downstream consumers or logs.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.