ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Garmin Connect (Fixed)

Garmin Connect integration for Clawdbot: sync fitness data (steps, HR, calories, workouts, sleep) every 5 minutes using OAuth.

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 2k · 6 current installs · 6 all-time installs
by@GodsBoy
MIT-0
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill claims OAuth-based sync (SKILL.md) but includes a username/password login script (garmin-auth.py) that asks you to run it with your password on the command line and even suggests disabling 2FA. That contradicts the 'OAuth only / secure' claim. Also the requirements.txt omits the 'garth' dependency which the code imports.
!
Instruction Scope
Runtime instructions tell users to run garmin-auth.py <email> <password> (exposes password via command-line/shell history) and to disable 2FA — both are unnecessary if using proper OAuth/browser flow. Several scripts reference hardcoded developer data/paths (e.g., /home/mamotec/.garth/session.json, moritz.vogt@vogges.de) which is out-of-scope and may leak developer PII or attempt to read/write other users' files.
Install Mechanism
There is no install spec (instruction-only), which is low risk. Dependencies are installed via pip -r requirements.txt, but requirements.txt omits 'garth' (used throughout scripts) and the SKILL.md mentions garth-cli elsewhere. The missing dependency is an inconsistency that will break setup and may cause users to install packages ad-hoc.
!
Credentials
The skill declares no required env vars, yet it requires user credentials (email/password) at runtime and writes/reads session tokens and cache files under home directories (~/.garth/session.json, ~/.clawdbot/.garmin-cache.json). It instructs disabling 2FA and saving session tokens locally; these are disproportionate risks relative to a simple sync integration. Hardcoded absolute paths also risk accidental access to other users' data.
Persistence & Privilege
The skill does not request 'always: true' and is not force-included. It will persist OAuth sessions and cache files in the user's home (normal for this kind of skill). However, the presence of hardcoded absolute paths (/home/mamotec/...) and cron instructions means it could be configured to run periodically under cron — acceptable for sync but verify cron entry and file paths before enabling.
What to consider before installing
Before installing or running this skill: - Do not run garmin-auth.py with your password on the command line; prefer browser-based OAuth (garth-cli) so credentials aren't stored in shell history. - Never disable 2FA; the script's suggestion to disable 2FA is a red flag. Use app-specific passwords or proper OAuth flows instead. - Inspect and edit scripts to remove hardcoded absolute paths and personal emails (e.g., /home/mamotec/.garth/session.json, moritz.vogt@vogges.de) — these are developer leftovers and may cause unintended reads/writes. - Add missing dependency 'garth' to requirements.txt or install it explicitly (pip install garth garth-cli) before running. - Keep the saved session file (~/.garth/session.json) protected (correct filesystem permissions) and verify where caches are written (~/.clawdbot/.garmin-cache.json or custom path). - Consider running first in an isolated environment (container or dedicated user) and do a code audit if you will store sensitive auth artifacts. - If you need a lower-risk setup, prefer the OAuth browser flow (garth-cli) and avoid providing your password to scripts; update README/SKILL.md to reflect the safer flow and remove advice to disable 2FA.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.1.0
Download zip
latestvk977s721gm9gkzxbg1t3zj3vyd802hk9

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

Garmin Connect Skill

Sync all your Garmin fitness data to Clawdbot:

  • 🚶 Daily Activity: Steps, heart rate, calories, active minutes, distance
  • 😴 Sleep: Duration, quality, deep/REM/light sleep breakdown
  • 🏋️ Workouts: Recent activities with distance, duration, calories, heart rate
  • ⏱️ Real-time sync: Every 5 minutes via cron

Quick Start

1. Install Dependencies

pip install -r requirements.txt

2. OAuth Authentication (One-time)

python3 scripts/garmin-auth.py your-email@gmail.com your-password

This saves your OAuth session to ~/.garth/session.json — fully local and secure.

3. Test Sync

python3 scripts/garmin-sync.py

You should see JSON output with today's stats.

4. Set Up 5-Minute Cron

Add to your crontab:

*/5 * * * * /home/user/garmin-connect-clawdbot/scripts/garmin-cron.sh

Or manually:

*/5 * * * * python3 /home/user/garmin-connect-clawdbot/scripts/garmin-sync.py ~/.clawdbot/.garmin-cache.json

5. Use in Clawdbot

Import and use in your scripts:

from scripts.garmin_formatter import format_all, get_as_dict

# Get all formatted data
print(format_all())

# Or get raw dict
data = get_as_dict()
print(f"Steps today: {data['summary']['steps']}")

Features

✅ OAuth-based (secure, no password storage) ✅ All metrics: activity, sleep, workouts ✅ Local caching (fast access) ✅ Cron-friendly (5-minute intervals) ✅ Easy Clawdbot integration ✅ Multi-user support

Data Captured

Daily Activity (summary)

  • steps: Daily step count
  • heart_rate_resting: Resting heart rate (bpm)
  • calories: Total calories burned
  • active_minutes: Intensity minutes
  • distance_km: Distance traveled

Sleep (sleep)

  • duration_hours: Total sleep time
  • duration_minutes: Sleep in minutes
  • quality_percent: Sleep quality score (0-100)
  • deep_sleep_hours: Deep sleep duration
  • rem_sleep_hours: REM sleep duration
  • light_sleep_hours: Light sleep duration
  • awake_minutes: Time awake during sleep

Workouts (workouts)

For each recent workout:

  • type: Activity type (Running, Cycling, etc.)
  • name: Activity name
  • distance_km: Distance traveled
  • duration_minutes: Duration of activity
  • calories: Calories burned
  • heart_rate_avg: Average heart rate
  • heart_rate_max: Max heart rate

Cache Location

By default, data is cached at: ~/.clawdbot/.garmin-cache.json

Customize with:

python3 scripts/garmin-sync.py /custom/path/cache.json

Files

FilePurpose
garmin-auth.pyOAuth setup (run once)
garmin-sync.pyMain sync logic (run every 5 min)
garmin-formatter.pyFormat data for display
garmin-cron.shCron wrapper script
requirements.txtPython dependencies

Troubleshooting

OAuth authentication fails

  • Check email/password
  • Disable 2FA on Garmin account (or use app password)
  • Garmin servers might be rate-limiting — wait 5 minutes

No data appears

  1. Sync your Garmin device with the Garmin Connect app
  2. Wait 2-3 minutes for data to sync
  3. Check that data appears in Garmin Connect web/app
  4. Then run garmin-sync.py again

Permission denied on cron

chmod +x scripts/garmin-cron.sh
chmod +x scripts/garmin-sync.py
chmod +x scripts/garmin-auth.py

Cache file not found

Run garmin-sync.py at least once to create cache:

python3 scripts/garmin-sync.py

Usage Examples

from scripts.garmin_formatter import format_all, get_as_dict

# Get formatted output
print(format_all())

# Get raw data
data = get_as_dict()
if data:
    print(f"Sleep: {data['sleep']['duration_hours']}h")
    print(f"Steps: {data['summary']['steps']:,}")

License

MIT — Use, fork, modify freely.

Made for Clawdbot | Available on ClawdHub

Files

9 total
Select a file
Select a file to preview.

Comments

Loading comments…