Garmin Health Report

Things to consider before installing: - Inspect SKILL.md and README for any hidden/control characters (the pre-scan flagged unicode-control-chars). Open the files in a hex-aware editor or run utilities to reveal invisible characters. - Review the included Python files locally (authenticate.py, garmin_client.py, health_daily_report.py). The code appears to call only the garth library and Garmin endpoints, but verify there are no unexpected network calls or hard-coded endpoints. - Understand token storage: the skill saves OAuth tokens under ~/.garmin-health-report (and a separate history file under ~/.garmin_health_report). Ensure you are comfortable with tokens being stored on disk and check file permissions. Logout/delete behavior may not remove all garth-generated token files (oauth1/oauth2 json) — manually inspect the directory if you remove credentials. - Verify the garth package reputation (pip package index, project repo). Using third-party pip packages has inherent supply-chain risk; prefer reviewing the package source or pinning versions. - Note region defaulting: authenticate.py defaults to China region unless you create config.json or pass explicit args. If you have a non-China Garmin account, run the auth script with the 'international' mode or create config.json to avoid connecting to the wrong domain. - If you have security concerns, run the scripts in a restricted environment (container/VM) and do not enter credentials until you are satisfied with the source. If you'd like, I can highlight the exact lines that reference token paths, domain configuration, and any places that might leave residual tokens so you can inspect them further.