Garmin Sync Cn To Global

Security checks across malware telemetry and agentic risk

Overview

This skill does what it says: it syncs Garmin activity data between two Garmin accounts, but users should treat its password handling carefully.

Install only if you are comfortable giving the tool Garmin credentials and letting it copy activity data into Garmin Global. Prefer a dedicated or low-risk account, verify the `garth` package source/version, avoid entering passwords in shared shells, and delete `~/.config/garmin-sync` if you stop using it.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The script accepts account passwords via command-line flags, which can expose secrets through shell history, process listings, job control tools, or logging wrappers. In a credential-handling sync tool, this creates a realistic path for local credential disclosure to other users or monitoring software on the same system.

Missing User Warnings

Low

Confidence: 82% confidence
Finding: The code writes downloaded activity archives to a predictable path under /tmp before deleting them. Temporary files in shared temp directories can be exposed through race conditions, symlink attacks, weak directory permissions, or residual data recovery if cleanup fails, leaking private fitness data.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal