Garmin Health Report
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill mostly matches its Garmin health-reporting purpose, but its Garmin credential/session handling has review-worthy problems around regional login behavior and token cleanup.
Review the authentication code before entering Garmin credentials. Confirm which Garmin region/domain it will use, and do not rely on the current logout path to remove saved access; manually check ~/.garmin-health-report for oauth token files and revoke sessions from Garmin if needed. Also protect or delete ~/.garmin_health_report/history.json if you do not want local health history retained.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user may enter Garmin credentials believing they are authenticating against the international Garmin service while the script appears to configure garmin.cn instead.
The script advertises an international Garmin mode, but the login path unconditionally calls the China-domain configuration immediately before password login. This creates an unclear credential boundary for users who expect garmin.com.
if args.mode == 'international': is_cn_arg = False; print("Mode: 国际版 - garmin.com") ... self._configure_cn_domain(); garth.login(username, password)Make domain selection conditional on the user's explicit choice, confirm the selected domain before prompting for a password, and update the documentation to match the actual default.
A user may think Garmin access was removed while saved session tokens remain usable on the machine.
Authentication checks and saves garth OAuth token files, but logout only deletes self.token_path, which is tokens.json. The actual OAuth token files can remain after the user chooses logout.
oauth1 = self.token_dir / "oauth1_token.json"; oauth2 = self.token_dir / "oauth2_token.json" ... garth.save(self.token_dir) ... if self.token_path.exists(): self.token_path.unlink()
Update logout to delete oauth1_token.json and oauth2_token.json, document the exact token files, set restrictive file permissions, and advise users how to revoke sessions from Garmin if needed.
Sleep, heart-rate, activity, and trend data may remain on disk after reports are generated.
The report stores local health history for trend analysis. This is aligned with the skill's purpose, but it creates persistent sensitive health data outside Garmin.
# This file stores daily health data for 7-day trend analysis
HISTORY_FILE = os.path.expanduser("~/.garmin_health_report/history.json")Protect the history file, document retention and cleanup, and let users disable or delete local history if they do not want persistent health data.
Installing later versions of the dependency may change how Garmin credentials or tokens are handled.
The credential-handling dependency is installed with a lower-bound version and no upper pin or hash. This is expected for Garmin API access, but future package changes could affect authentication behavior.
garth>=0.4.0
Pin and verify the dependency version, review the package provenance, and consider using hashes or a lockfile for reproducible installs.