Garmer
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: garmer Version: 1.0.2 The skill is classified as suspicious due to the `garmer update` command implemented in `src/garmer/cli.py`. This command executes `git pull --ff-only` via `subprocess.run()`, which is a high-risk capability. While the intent appears to be benign self-maintenance and is explicitly documented in `SKILL.md` and `README.md`, the ability to execute external commands for updating the skill itself introduces a potential vector for arbitrary code execution if the source repository were compromised. The handling of Garmin Connect credentials and data extraction from Garmin APIs is otherwise aligned with the stated purpose and does not show clear malicious intent.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone or anything able to use the saved token can retrieve private Garmin health and profile data.
The skill requires Garmin account credentials and persists OAuth tokens, which is purpose-aligned for Garmin data access but grants ongoing access to a sensitive health account.
Requires Garmin Connect account credentials for authentication... garmer login... prompt for your Garmin Connect email and password. Tokens are saved to `~/.garmer/garmin_tokens`
Only authenticate if you trust the installed package, protect the token directory, and revoke Garmin sessions/tokens if you uninstall or no longer use the skill.
Future dependency versions could change behavior after installation or update.
The package uses version ranges rather than pinned dependencies. That is common for Python projects, but users should be aware because this skill handles credentials and health data.
dependencies = ["garth>=0.4.0", "pydantic>=2.0.0", "httpx>=0.25.0", "python-dateutil>=2.8.0"]
Install from a trusted source, consider using a lockfile or pinned versions, and review package provenance before entering Garmin credentials.
Your sleep, heart rate, stress, activity, hydration, and related health details may be shown to or processed by the assistant.
The integration is designed to pass Garmin health summaries into an AI assistant workflow. This is disclosed and purpose-aligned, but it means private health metrics may enter chat/model context.
methods that can be called by MoltBot to retrieve health insights and formatted data for AI analysis
Use the skill only for questions where you want Garmin health data included, and avoid exporting or sharing more history than needed.