Back to skill

Security audit

Garmer

Security checks across malware telemetry and agentic risk

Overview

The skill mostly matches its Garmin health-data purpose, but it deserves review because it stores sensitive Garmin tokens and includes a self-update command that can change local code via git.

Install only if you are comfortable giving the tool access to Garmin health data and storing Garmin OAuth tokens locally. Prefer interactive login rather than passing a password on the command line, protect `~/.garmer/garmin_tokens` and exported JSON files, and avoid running `garmer update` unless you trust the repository remote and understand it can change the installed code.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Output HandlingUnvalidated Output Injection, Cross-Context Output, Unbounded Output
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (24)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill advertises and documents capabilities that access environment variables, write files, use the network, and invoke shell commands, but it does not declare corresponding permissions or provide explicit user-facing safety constraints. This creates a transparency and governance gap: users may authorize a seemingly simple data-extraction skill without realizing it can persist tokens locally, export sensitive health data to disk, authenticate over the network, and run maintenance commands.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The documented behavior goes beyond the stated purpose of answering Garmin health/fitness queries: it includes retrieval of profile, device, and settings data, local export of bulk data, and a self-update command that performs git pull via subprocess. That mismatch increases the risk of over-collection and unexpected code/network execution, especially because users may consent to a narrow health-summary use case while the skill can access broader personal metadata and change local software state.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The reference expands the skill's apparent capabilities beyond the stated scope by documenting profile access, device enumeration, broad export functions, and an AI-oriented integration layer. In an agent context, this can enable over-collection and misuse of sensitive data because downstream components may treat the reference as authorization to access or expose more data than the user reasonably expects from the manifest description.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The skill contains self-update behavior that performs `git pull` from a discovered local repository, which is outside the stated Garmin-data extraction purpose and expands the trust boundary significantly. If the tracked remote repository or local git configuration is compromised, invoking this command can import and activate attacker-controlled code on the user's machine.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
Executing local git subprocesses unrelated to Garmin data access introduces unnecessary code-management capabilities into a health-data skill. This increases attack surface and creates an unexpected path for remote content to alter local code, which is especially risky for an agent-integrated tool handling sensitive personal data.

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The weekly summary logic is broken because it calls datetime.timedelta even though only the datetime class was imported via 'from datetime import date, datetime', so datetime.timedelta is unavailable and can raise an exception when the default week_start path or end-date calculation is used. In a health-data skill, this can cause summary generation to fail unexpectedly, leading to denial of service for the feature and potentially incorrect downstream behavior if callers rely on this summary.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
This extractor accesses personal information, goals, registered devices, and device settings in addition to fitness metrics described in the skill metadata. That creates a scope-expansion/privacy risk because authenticated API access can collect more sensitive account data than users would reasonably expect from a health-data skill.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
Registered device inventory and per-device settings are not obviously necessary to answer requests about fitness metrics, sleep, stress, or body composition. Exposing these endpoints increases privacy and fingerprinting risk by revealing owned hardware and configuration details that can be misused for profiling or unnecessary data collection.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The README promotes exporting Garmin health data and sending structured summaries to AI analysis workflows, but it provides no privacy, consent, retention, or secure-handling guidance for highly sensitive biometric and wellness data. In a health-data extraction skill, omission of these warnings can lead users or integrators to store, transmit, or analyze regulated or intimate personal data insecurely, increasing risk of privacy breaches and secondary misuse.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill instructs users to log in with Garmin credentials and save authentication tokens locally, but it does not present a clear privacy warning about the sensitivity of health data and stored tokens before setup. In a health-data context, missing disclosure is dangerous because users may not understand that highly sensitive biometric and wellness information will be accessed and retained on disk for future reuse.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The export workflow writes multi-day health data to a JSON file without warning users that sensitive medical/fitness information will be persisted locally in a potentially readable format. This increases the chance of accidental disclosure through shared machines, backups, logs, sync services, or subsequent processing by other tools.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
This code retrieves sensitive health data and explicitly formats it for AI/chat consumption without any user-facing consent, warning, or data-minimization step. In a chatbot integration, that increases the risk that highly personal biometric and wellness data is transmitted to downstream systems or displayed in contexts the user did not clearly approve.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The integration fetches multi-day activity and sleep history, which are sensitive health records, without any explicit notice or confirmation that historical data will be accessed for analysis. The skill context makes this more concerning because a health-focused assistant is handling intimate longitudinal data that may reveal medical, behavioral, or lifestyle patterns beyond what a user expects from a simple query.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The documentation describes handling highly sensitive health, biometric, and profile data—including sleep, heart rate, stress, body composition, hydration, respiration, birth date, weight, and email—without any privacy disclosure, consent guidance, retention limits, or safe-handling instructions. In an AI skill, this increases the chance that sensitive data will be fetched, summarized, exported, or surfaced to other components without adequate user awareness or data minimization.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The snapshot command prints a full health snapshot as formatted JSON, which may include highly sensitive personal health information and potentially more fields than a user expects. In an agent or logged execution environment, this can expose health data to chat transcripts, logs, downstream tools, or other observers without minimization or explicit confirmation.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The code retrieves sensitive health data and explicitly formats it for AI processing and chat output without any consent gate, minimization step, or disclosure to the user. Health metrics such as sleep, heart rate, stress, and hydration are highly sensitive personal data, and exposing them to an LLM or chat surface can create privacy and compliance risks if the user does not clearly understand how their data is being used.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
This function fetches multi-day activity history and prepares aggregate insights and recommendations for downstream AI/chat use without an explicit disclosure that personal fitness history is being processed. Historical activity records can reveal routines, health status, and lifestyle patterns, so silent collection and analysis increases privacy exposure beyond what a user may expect from a simple chat interaction.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The code accesses detailed sleep records, including sleep duration, deep sleep, REM sleep, scores, and sleep heart rate, and uses them for trend analysis without explicit user disclosure or consent. Sleep data is particularly sensitive health information, and the skill context increases risk because the module is designed to feed these records into an AI assistant workflow where over-collection or secondary use may not be obvious to the user.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The CLI accepts a password via `--password`, which can expose credentials through shell history, process listings, audit logs, or agent invocation traces. In a skill dealing with health and account data, that creates avoidable credential-compromise risk.

Unvalidated Output Injection

High
Category
Output Handling
Content
return 0

        # Show what will change
        log_result = subprocess.run(
            ["git", "log", "--oneline", "HEAD..@{u}"],
            cwd=package_root,
            capture_output=True,
Confidence
89% confidence
Finding
subprocess.run( ["git", "log", "--oneline", "HEAD..@{u}"], cwd=package_root, capture_output

Unvalidated Output Injection

High
Category
Output Handling
Content
print(log_result.stdout)

        # Pull the changes
        pull_result = subprocess.run(
            ["git", "pull", "--ff-only"],
            cwd=package_root,
            check=True,
Confidence
88% confidence
Finding
subprocess.run( ["git", "pull", "--ff-only"], cwd=package_root, check=True, capture_output

Unvalidated Output Injection

High
Category
Output Handling
Content
package_root = _get_package_root()
    if package_root:
        try:
            result = subprocess.run(
                ["git", "rev-parse", "--short", "HEAD"],
                cwd=package_root,
                capture_output=True,
Confidence
71% confidence
Finding
subprocess.run( ["git", "rev-parse", "--short", "HEAD"], cwd=package_root, capture_output

Known Vulnerable Dependency: pydantic — 4 advisory(ies): CVE-2021-29510 (Use of "infinity" as an input to datetime and date fields causes infinite loop i); CVE-2024-3772 (Pydantic regular expression denial of service); CVE-2021-29510 (Pydantic is a data validation and settings management using Python type hinting.) +1 more

High
Category
Supply Chain
Confidence
89% confidence
Finding
pydantic

Known Vulnerable Dependency: httpx — 2 advisory(ies): CVE-2021-41945 (Improper Input Validation in httpx); CVE-2021-41945 (Encode OSS httpx <=1.0.0.beta0 is affected by improper input validation in `http)

Critical
Category
Supply Chain
Confidence
93% confidence
Finding
httpx

VirusTotal

50/50 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.