ClawHub

Garminskill

v1.3.1

Syncs daily health and fitness data from Garmin Connect into markdown files. Provides sleep, activity, heart rate, stress, body battery, HRV, SpO2, and weight data.

3· 1.7k·3 current·3 all-time
by@freakyflow

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for freakyflow/garmin-pulse.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Garminskill" (freakyflow/garmin-pulse) from ClawHub.
Skill page: https://clawhub.ai/freakyflow/garmin-pulse
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Required binaries: uv
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install garmin-pulse

ClawHub CLI

Package manager switcher

npx clawhub@latest install garmin-pulse
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description, required binary (uv), and the bundled Python script all match: the skill logs into Garmin Connect (via garminconnect + cloudscraper) and writes markdown files under the skill's directory. Requested binaries and dependencies are proportional to syncing Garmin data.
Instruction Scope
Runtime instructions are narrowly scoped to setup (interactive password prompt) and syncing data. They explicitly instruct the user to run a one-time setup in a terminal and warn not to paste passwords into chat. However, the README advises disabling Garmin two-factor authentication (2FA) because the underlying library doesn't support 2FA — this is a security tradeoff that users should consider. The script also uses cloudscraper to bypass Cloudflare, which is functionally necessary but worth knowing about.
Install Mechanism
Registry install metadata uses a Homebrew formula for uv (reasonable). The skill relies on uv to create an isolated environment and fetch Python deps (garminconnect, cloudscraper) per inline metadata. The README additionally documents curl | sh installers for uv (common but higher-risk), so users should prefer trusted package sources (Homebrew) and be aware uv will fetch packages from public PyPI at runtime.
Credentials
The skill requests no environment variables or external credentials in the registry metadata. It performs a one-time interactive login and caches OAuth tokens in ~/.garminconnect, which is expected for this purpose. Those cached tokens are sensitive (they grant access to the Garmin account) but their use is proportional to the stated function.
Persistence & Privilege
always is false and disable-model-invocation is true in the skill metadata, limiting autonomous invocation. The skill persists tokens to ~/.garminconnect and writes daily markdown files under the skill baseDir/health/ — these are expected artifacts for the feature. The skill does not request system-wide config changes or other skills' credentials.
Assessment
What to consider before installing: - Account security: The script requires a one-time email/password login and caches OAuth tokens in ~/.garminconnect. Those tokens grant access to your Garmin account — protect the directory (file permissions) and avoid backing it up to untrusted cloud storage. - 2FA recommendation: The README says the garminconnect library does not support 2FA and instructs disabling two-step verification to use the skill. Disabling 2FA weakens your account security; weigh this tradeoff and consider using a separate Garmin account if you want to maintain MFA on your main account. - Dependency trust: The skill relies on the garminconnect and cloudscraper Python libraries. cloudscraper is explicitly used to bypass Cloudflare protections; while necessary to access the Garmin SSO endpoints, it increases the network/automation complexity. Review those libraries and the script if you have concerns about network behavior. - Installation source: The registry uses Homebrew to install uv (preferred). The README also documents curl | sh installers for uv — avoid running installers from unknown hosts unless you trust them. Prefer package manager installs from trusted repositories. - Local setup only: Setup is interactive and runs locally (uv run ...). Do not paste passwords into chat or allow remote agents to perform setup. The skill has disable-model-invocation enabled, which prevents the model from autonomously running it. - Audit if needed: If you want extra assurance, review the included script (scripts/sync_garmin.py) yourself or run it in a constrained environment. Consider creating a secondary Garmin account for testing if you don't want to alter your main account's security settings. Overall: the skill appears to do what it claims and is proportionate to its purpose, but be mindful of the explicit advice to disable 2FA and of the sensitive cached tokens it stores locally.

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

💪 Clawdis
Binsuv

Install

Install uv via Homebrew
Bins: uv
brew install uv
latestvk976mt7zbsaqfjgkmbbv7exg4980zp5s
1.7kdownloads
3stars
8versions
Updated 2mo ago
v1.3.1
MIT-0
@freakyflow
latest
Download

Garmin Connect

This skill syncs your daily health data from Garmin Connect into readable markdown files.

Setup

Authentication is required before the first sync. This only needs to happen once — tokens are cached for approximately one year.

If the sync command fails with "No cached tokens found", tell the user to run the setup command in their terminal:

uv run {baseDir}/scripts/sync_garmin.py --setup --email you@example.com

The password is prompted interactively via getpass — it is never echoed to screen, stored in shell history, or passed as a command argument. On success the user will see Success! Tokens cached in ~/.garminconnect. After that, all syncs use cached tokens only — no credentials are needed.

Do not ask the user for their password in chat and do not pass passwords as command-line arguments or via stdin piping, as these methods can expose credentials in process listings or conversation history.

Syncing Data

Sync today's data:

uv run {baseDir}/scripts/sync_garmin.py

Sync a specific date:

uv run {baseDir}/scripts/sync_garmin.py --date 2026-02-07

Sync the last N days:

uv run {baseDir}/scripts/sync_garmin.py --days 7

Reading Health Data

Health files are stored at {baseDir}/health/YYYY-MM-DD.md — one file per day.

To answer health or fitness questions, read the relevant date's file from the {baseDir}/health/ directory. If the file doesn't exist for the requested date, run the sync command for that date first.

Dependencies

This skill uses uv to run the sync script. uv is a fast Python package manager by Astral that reads inline script metadata (PEP 723) and automatically installs dependencies (garminconnect, cloudscraper) in an isolated environment — no manual pip install needed.

Credentials & Stored Data

Garmin Connect does not offer a public OAuth API, so a one-time email/password login is required. During setup, the password is used once to obtain OAuth tokens, then discarded. The tokens are cached locally in ~/.garminconnect/ for approximately one year. At runtime, only the cached tokens are used — no email or password is needed. If tokens expire, re-run the setup command.

Paths written by this skill:

  • ~/.garminconnect/ — cached OAuth tokens (sensitive; grants access to the user's Garmin account)
  • {baseDir}/health/ — daily health markdown files (contains personal health data)

Cron Setup

Schedule the sync script to run every morning using OpenClaw's cron tool so your health data stays up to date automatically. No environment variables or credentials are needed — the sync uses cached tokens from the one-time setup.

Comments

Loading comments...