Garminskill
WarnAudited by ClawScan on May 10, 2026.
Overview
The skill appears to do the advertised Garmin health sync, but it asks users to weaken Garmin account protections and uses long-lived account tokens plus Cloudflare-bypass tooling.
Review carefully before installing. The health-sync behavior is coherent, but you should be comfortable disabling Garmin 2FA, storing long-lived Garmin tokens in ~/.garminconnect, using Cloudflare-bypass tooling for login, and keeping generated health files private.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Disabling 2FA makes the Garmin account easier to compromise, and the skill then relies on long-lived local access to that account.
The skill requires users to lower Garmin account protections to authenticate, which is a significant permission and account-security tradeoff.
A Garmin Connect account (two-factor authentication must be disabled ...); ... You'll need to disable 2FA on your Garmin account to use this skill
Install only if you accept this account-security tradeoff. Keep 2FA enabled if possible, prefer an official/scoped integration if one becomes available, and remove cached tokens if you stop using the skill.
Garmin may block or rate-limit the account, and the login path depends on bypassing protections around the account sign-in flow.
The authentication flow explicitly uses tooling to bypass a provider anti-bot/security control, which is risky even though it is disclosed.
This skill uses [cloudscraper] to bypass Cloudflare protection on Garmin's SSO.
Consider whether this violates your risk tolerance or Garmin’s terms. Avoid using the skill on accounts where account integrity is critical.
Anyone or any agent with access to the skill directory may be able to read detailed personal health information.
The skill intentionally persists sensitive health and fitness data locally so OpenClaw can read it later.
`{baseDir}/health/` — daily health markdown files (contains personal health data)Keep the skill directory private, sync only the dates you need, and do not share the generated health markdown files unintentionally.
Future dependency versions could change behavior or introduce vulnerabilities without a lockfile in the provided artifacts.
uv will install these Python dependencies at runtime, and cloudscraper is unpinned while garminconnect allows newer versions.
dependencies = ["garminconnect>=0.2.38", "cloudscraper"]
Review and pin dependencies if you need reproducible behavior, and install only from trusted package sources.
If scheduled, the skill can continue pulling Garmin data every day until the cron job or cached tokens are removed.
The skill recommends optional recurring execution with cached tokens, creating ongoing automated account access if the user enables it.
Schedule the sync script to run every morning using OpenClaw's `cron` tool so your health data stays up to date automatically.
Use cron only if you want ongoing automatic sync, and know how to disable the schedule and delete ~/.garminconnect tokens.