Garmin Sync Cn To Global
ReviewAudited by ClawScan on May 1, 2026.
Overview
This skill appears purpose-aligned for syncing Garmin activities, but users should notice that it handles Garmin account credentials, stores local state, and uploads activity data to another Garmin account.
This looks like a straightforward Garmin activity sync tool, not a deceptive one. Before installing, make sure you are comfortable giving it Garmin credentials, storing those credentials locally, installing the `garth` Python package, and allowing it to upload activities into your Garmin Global account.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone who can read that local credentials file could access the Garmin accounts used for syncing.
The skill requires Garmin account credentials and stores them locally as plaintext. This is disclosed and purpose-aligned, but it is sensitive account access.
Credentials are stored in plaintext at `~/.config/garmin-sync/credentials.json`
Use restrictive file permissions, consider a dedicated account if possible, and avoid installing or running this with primary credentials unless you trust the code and dependency.
Running the sync can add activities to the Garmin Global account without per-activity confirmation.
The sync operation uploads downloaded Garmin activity files into the Global Garmin account. This is the stated purpose, but it changes third-party account data.
result = client_int.upload(fit_file)
Run the sync only when you intend to copy activities, start with `--new-only` if appropriate, and review the account afterward for unintended duplicates.
Installing an unexpected or compromised dependency could affect the machine or Garmin credentials used by the tool.
The setup instructions rely on an unpinned external Python package. This is expected for a Garmin integration but leaves package version and provenance to the user.
pip install garth
Install `garth` from a trusted package index, consider pinning a reviewed version, and run the tool in an environment you control.
Local state files may retain personal activity metadata after a failed sync.
The skill persists failed sync records locally for retry. These records may include Garmin activity metadata and are reused on later sync runs.
FAILED_FILE = os.path.join(CONFIG_DIR, 'failed_records.json')
Inspect or delete `~/.config/garmin-sync/failed_records.json` and related state files if you no longer need retries or are removing the skill.