ClawHub

Garminskill

Security checks across malware telemetry and agentic risk

Overview

The skill appears to do the Garmin health sync it advertises, but it asks users to weaken Garmin account security and stores sensitive health data and long-lived tokens locally.

Install only if you accept an unofficial Garmin login flow, local plaintext health records, and long-lived Garmin tokens stored on your machine. Avoid disabling 2FA on an important Garmin account unless you knowingly accept the account-takeover risk, and keep ~/.garminconnect/ plus the health output directory private, encrypted if possible, and out of cloud sync or public repositories.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (7)

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill performs network access to Garmin Connect and writes data to local files, including sensitive OAuth tokens and health records, but declares no permissions. This creates a transparency and consent problem: a user or platform may not realize the skill can contact external services and persist sensitive data, increasing the risk of unauthorized data access or misuse.

Tp4

High
Category
MCP Tool Poisoning
Confidence
88% confidence
Finding
The documented behavior understates what the skill handles: beyond simple markdown syncing, it performs account authentication, caches long-lived tokens, and appears to export additional health metrics not disclosed in the description. When a skill processes more data types and credentials than advertised, users cannot give informed consent and may expose broader sensitive health/account data than expected.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The README explicitly instructs users to disable two-factor authentication on their Garmin account in order to use the skill. That weakens the security of the entire account, not just this integration, and creates a materially larger risk of account takeover if credentials are phished, reused, or leaked.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The README documents use of cloudscraper specifically to bypass Cloudflare protections on Garmin SSO. Even if framed as a reliability workaround, bypassing anti-bot controls is security-sensitive behavior that exceeds a simple data-sync description and may expose users to fragile, detection-prone, or policy-violating authentication flows.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The skill syncs highly sensitive health and fitness data into local markdown files that may be broadly readable, indexed, backed up, or ingested by other tools, yet the README provides no clear privacy warning. This can lead users to expose medical-adjacent personal data without understanding retention, filesystem permissions, or downstream access risks.

Missing User Warnings

High
Confidence
99% confidence
Finding
Telling users to disable 2FA without a prominent warning about the security tradeoff omits critical risk information. Users may follow the instructions believing this is routine setup, when in fact it reduces protection for the full Garmin account and any linked personal data or services.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The script writes highly sensitive health information, including sleep, heart rate, stress, SpO2, weight, and activity data, into plaintext markdown files on local disk without any explicit warning, consent checkpoint, or guidance about storage sensitivity. This increases the risk of unintended disclosure through backups, sync tools, shared folders, or local compromise, especially because users may not realize medical-adjacent data is being persisted unencrypted.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal