Garmer
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone or anything able to use the saved token can retrieve private Garmin health and profile data.
The skill requires Garmin account credentials and persists OAuth tokens, which is purpose-aligned for Garmin data access but grants ongoing access to a sensitive health account.
Requires Garmin Connect account credentials for authentication... garmer login... prompt for your Garmin Connect email and password. Tokens are saved to `~/.garmer/garmin_tokens`
Only authenticate if you trust the installed package, protect the token directory, and revoke Garmin sessions/tokens if you uninstall or no longer use the skill.
Future dependency versions could change behavior after installation or update.
The package uses version ranges rather than pinned dependencies. That is common for Python projects, but users should be aware because this skill handles credentials and health data.
dependencies = ["garth>=0.4.0", "pydantic>=2.0.0", "httpx>=0.25.0", "python-dateutil>=2.8.0"]
Install from a trusted source, consider using a lockfile or pinned versions, and review package provenance before entering Garmin credentials.
Your sleep, heart rate, stress, activity, hydration, and related health details may be shown to or processed by the assistant.
The integration is designed to pass Garmin health summaries into an AI assistant workflow. This is disclosed and purpose-aligned, but it means private health metrics may enter chat/model context.
methods that can be called by MoltBot to retrieve health insights and formatted data for AI analysis
Use the skill only for questions where you want Garmin health data included, and avoid exporting or sharing more history than needed.