ClawHub

Garmer

Security checks across malware telemetry and agentic risk

Overview

Garmer is a disclosed Garmin health-data tool, but it handles sensitive health data and saved login tokens that users should protect.

Install only if you trust the package source and are comfortable giving it Garmin Connect access. Treat saved tokens and exported JSON files as sensitive health data, avoid broad exports unless needed, delete tokens with `garmer logout` when done, and be careful with `garmer update` because it can change local package code from the configured git remote.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (29)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill invokes network access, shell commands, environment variables, and file writes, yet it declares no permissions or trust boundaries. That gap makes review and policy enforcement harder, especially because the skill handles Garmin credentials, session tokens, exported health data, and can write them to disk.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The skill advertises health-data extraction, but the documented behavior also includes credential-based authentication, persistent token storage, profile and device retrieval, settings access, JSON export to files, and self-update/version operations. This broader behavior increases access to sensitive personal data and system state beyond what a user might reasonably expect from the description, creating consent and data-minimization risks.

Context-Inappropriate Capability

Low
Confidence
88% confidence
Finding
A self-update command that performs a git pull introduces a supply-chain and change-control risk unrelated to the core task of reading Garmin health data. It can modify the installed code at runtime or between runs, making behavior less predictable and potentially pulling unreviewed code into a sensitive skill that handles credentials and health information.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The reference expands the accessible data well beyond the skill description’s apparent scope of fitness metrics by documenting profile, device, hydration, respiration, and broader health snapshot access. In an agent setting, this creates a capability mismatch that can mislead reviewers and users, increasing the risk of over-collection of sensitive personal data without clear consent boundaries.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The documented export_data function enables bulk extraction of comprehensive user data across date ranges, which is materially more powerful than ordinary read-only summary queries. In a health-data skill, bulk export amplifies privacy and exfiltration risk because an agent could retrieve large volumes of historical sensitive data in one operation.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The skill description is limited to extracting Garmin health and fitness data, but the CLI also includes a self-update path that performs `git pull` on the local repository. That gives the skill code-modification capability unrelated to its declared purpose, increasing the blast radius from data access to arbitrary code changes if the repository or upstream remote is compromised.

Context-Inappropriate Capability

High
Confidence
96% confidence
Finding
Executing local git subprocesses for update and version management is not justified by a Garmin data-extraction skill and expands its operational privileges. In skill/agent environments, such capability is more dangerous because it allows the tool to inspect and mutate local source trees and trust external repository state, which can facilitate supply-chain compromise or unexpected local system effects.

Context-Inappropriate Capability

Medium
Confidence
83% confidence
Finding
The export command writes sensitive health data to an arbitrary filesystem path provided by the caller. While file export can be a legitimate feature, it materially exceeds a simple extraction/presentation interface and can expose private Garmin data to unintended locations, especially in agent contexts where path choices may be automated or poorly reviewed.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The client exposes additional categories of sensitive health and account data—user profile, registered devices, hydration, and respiration—beyond what the skill metadata says it needs. In an agent context, this expands data access scope and can lead to over-collection or disclosure of personal health information without clear user expectation or consent.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The snapshot, weekly report, and export methods aggregate many sensitive health metrics into single calls, materially broadening collection and making large-scale disclosure easier. For a conversational skill intended to answer user questions, this creates an unnecessary concentration of sensitive data and increases the blast radius of misuse, prompt abuse, or downstream logging.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
Bulk export of activities, sleep, and daily summaries across arbitrary date ranges is more powerful than needed for answering routine fitness questions. In a skill handling sensitive health data, export functionality greatly increases exfiltration risk because it enables rapid extraction of a large historical dataset in one operation.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
This extractor accesses profile, settings, personal information, goals, and device metadata in addition to core health metrics described in the skill manifest. That creates a data over-collection problem: users invoking a fitness-data skill may not reasonably expect retrieval of broader account and device details, increasing privacy exposure if the data is surfaced, logged, cached, or reused elsewhere.

Context-Inappropriate Capability

Medium
Confidence
86% confidence
Finding
The code retrieves personal information and registered device details without clear necessity for delivering sleep, activity, heart-rate, or similar fitness insights. In a health/fitness skill context, this mismatch is more dangerous because it combines sensitive wellness access with unrelated personal/account metadata, expanding the privacy blast radius beyond user expectations.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The README explicitly documents exporting sensitive health data and storing OAuth tokens under a predictable local directory, but it does not warn users about the privacy implications, filesystem permissions, shared-machine risk, or secure handling of exported data. In a health-data extraction skill, this omission is material because users may expose medical-adjacent data and reusable authentication tokens without realizing the sensitivity.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The documentation processes highly sensitive health data and instructs users to authenticate with Garmin credentials, but it does not provide an explicit privacy and sensitivity warning. In this context, omission is dangerous because users may not realize that tokens are stored locally and exports can create persistent copies of sleep, heart rate, stress, body composition, and other regulated or intimate data.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
This example script logs and prints a broad set of highly sensitive health and fitness data, including sleep, heart rate, stress, hydration, weight, body composition, and activity history, directly to stdout. In real usage, console output may be captured by terminals, shell history tooling, CI logs, shared notebooks, screen recordings, or support bundles, which can expose private health information without any warning, minimization, or consent-oriented safeguards.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The integration retrieves sensitive health data and explicitly formats it for AI processing without any user-facing consent, warning, or data-minimization control. In a chatbot context, this can expose highly sensitive wellness information to downstream model processing or display layers in ways the user may not reasonably expect.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
This code accesses historical activity and sleep records over a date range and prepares them for chatbot analysis without an explicit disclosure that sensitive historical health data will be processed. Historical trends can reveal intimate lifestyle, health, and behavioral patterns, making the privacy risk greater than a single-day snapshot.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The documentation covers highly sensitive health and identity-linked data including sleep, heart rate, stress, body composition, hydration, respiration, profile, and activity history, yet provides no privacy warning, consent model, retention guidance, or limitations on agent use. In a conversational AI context, this is dangerous because users may not realize the breadth and sensitivity of the data being accessed and summarized.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The credential-based authentication example encourages direct handling of account email/password and automatic token saving without any warning about secrets management, local token protection, or avoiding plaintext credential exposure. In an agent ecosystem, this can normalize unsafe integration patterns that lead to credential leakage, insecure token storage, or accidental logging of account secrets.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
This script retrieves highly sensitive health data and prints it directly to stdout with no consent check, warning, output minimization, or redaction. In an agent/tooling context, console output is often captured in logs, transcripts, or shared with downstream systems, so sleep, heart-rate, stress, and activity data may be exposed beyond the user’s intent.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The integration collects sensitive health data and explicitly reformats it for AI/chat consumption, but it provides no user-facing notice, consent flow, or data-minimization control before exposing sleep, heart rate, stress, hydration, and activity metrics. In this skill context, the data is especially sensitive because it is medical-adjacent personal information, and sending or displaying it through conversational systems increases the risk of unintended disclosure, over-retention, or sharing beyond the user's expectations.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The code persists Garmin authentication tokens to disk by default in a predictable location under the user's home directory, but does not set restrictive file permissions, encrypt the tokens, or provide a user-facing warning/consent flow about persistent credential storage. Because this skill handles sensitive health-account access, local token theft by another local user, process, backup system, or malware could allow unauthorized access to the user's Garmin data without re-entering credentials.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
This code exports highly sensitive health and fitness data to disk with only a generic status message and no meaningful privacy warning, retention guidance, or confirmation. In the context of a health-data skill, silent local persistence is riskier because exported files may be readable by other users, backed up to cloud services, or mishandled by downstream tooling.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The update command performs an immediate `git pull` that modifies the installed codebase without a confirmation step or trust verification. In an agent skill, that is especially dangerous because it can change future behavior and code provenance at runtime, turning a data-access tool into a self-modifying component.

VirusTotal

50/50 vendors flagged this skill as clean.

View on VirusTotal