ClawHub

Garmin Health Report

Security checks across malware telemetry and agentic risk

Overview

This Garmin report skill does what it claims, but its handling of Garmin login tokens and region selection needs review before use.

Only install this on a trusted machine. Before entering Garmin credentials, confirm whether you need garmin.com or garmin.cn, and do not rely on the built-in logout to clear access; manually inspect ~/.garmin-health-report for oauth1_token.json and oauth2_token.json and revoke Garmin sessions if needed. Also review or delete ~/.garmin_health_report/history.json if you do not want local health metrics retained.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (5)

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill clearly performs network access to Garmin APIs and reads/writes local files for tokens, config, and history, yet no permissions are declared. This creates a transparency and consent problem: a user or agent runner may treat the skill as lower-risk than it is, while it actually handles credentials and persists sensitive health-related data.

Tp4

High
Category
MCP Tool Poisoning
Confidence
92% confidence
Finding
The stated purpose suggests report generation, but the documented behavior includes credential collection, API authentication, token persistence, profile retrieval, and local history storage. That mismatch is security-relevant because users may not realize the skill will request login secrets and retain long-lived access artifacts tied to sensitive health data.

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The logout routine claims to remove saved tokens, but it only deletes tokens.json while garth authentication actually uses oauth1_token.json and oauth2_token.json. This leaves valid credentials on disk after logout, so a local user or later process could still reuse the session, undermining user expectations and session invalidation.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
load_tokens() checks for tokens.json, but the rest of the module and garth.save() use oauth1_token.json and oauth2_token.json. This inconsistency can cause the code to report no tokens while valid token files still exist, leading to broken authentication state handling and making logout/session management less reliable in a credential-handling component.

Missing User Warnings

Medium
Confidence
85% confidence
Finding
The README instructs users that authentication tokens will be stored in a local file but does not warn about the sensitivity of those tokens or advise on protecting file permissions. OAuth/session tokens can often be reused to access a user's Garmin account data, so undocumented local persistence increases privacy and account-takeover risk if the host is shared or compromised.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal