ClawHub

Garmin Trail Running Roadmap & Training Plan

Security checks across malware telemetry and agentic risk

Overview

This Garmin training skill is mostly aligned with its stated purpose, but it needs Review because it handles Garmin credentials, sensitive health data, stored session tokens, and calendar writes without enough scoping or user-control safeguards.

Install only if you are comfortable giving the agent access to your Garmin account and detailed health history. Avoid putting your Garmin password in config.json; prefer a temporary, user-controlled login method, review any generated calendar script before running it, avoid broad wellness/profile queries unless needed, and delete stored Garmin tokens under ~/.clawdbot/garmin when finished.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (13)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill advertises and instructs use of environment variables, local files, generated scripts, and shell execution, yet does not declare corresponding permissions. This creates a transparency and consent problem: users and the platform cannot accurately assess that the skill will read credentials, write artifacts, and invoke local commands such as Python and osascript.

Tp4

High
Category
MCP Tool Poisoning
Confidence
96% confidence
Finding
The documented purpose is narrow—generate trail race roadbooks and adaptive training plans from Garmin and GPX data—but the described behavior indicates collection of much broader health and profile data plus token/session storage. This over-collection and behavior mismatch is dangerous because users may consent to race-planning assistance without realizing the skill can access sensitive wellness data and persist authentication material locally.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The script exposes a `profile` mode that retrieves and prints the user's full name and email, even though the stated skill purpose is generating trail roadbooks and training plans from sports and route data. Emitting this PII to stdout makes it easy for downstream agent components, logs, or other integrations to collect personal data beyond what is necessary for the advertised functionality.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
`fetch_profile()` collects account profile PII (`name`, `display_name`, and `email`) that is not justified by the skill description focused on training analysis and GPX-based planning. This violates data minimization principles and increases privacy exposure if the data is logged, forwarded to an LLM, or retained by the agent platform.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The script exposes a broad set of Garmin health and wellness endpoints, including hydration, stress, respiration, SpO2, body composition, fitness age, and intraday heart rate, which materially exceeds the stated purpose of generating trail race roadbooks, training plans, and calendar sync. Over-collection of sensitive data increases privacy risk and attack surface, especially because these functions make bulk retrieval easy without any purpose limitation or minimization controls.

Context-Inappropriate Capability

High
Confidence
96% confidence
Finding
The body composition function retrieves highly sensitive health data such as weight, body fat percentage, and muscle mass, which is not clearly necessary for producing a trail running roadmap or route book. This type of data can be misused for profiling or expose intimate health information if logged, exported, or accessed by other components.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill describes syncing training plans into the macOS/iOS system calendar, which modifies user data and may trigger OS permission prompts, but it does not present an explicit warning or confirmation step. This can lead to unintended calendar changes, duplicate events, or trust erosion because users are not clearly informed before a state-changing action occurs.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The workflow explicitly instructs generating calendar-sync code and then executing it, but omits a safety notice about system changes and permission use. Auto-executing generated integration code is risky because it crosses from analysis into action on the host system, potentially writing unwanted events or abusing automation privileges if the generated code is altered or incorrect.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill instructs users to provide Garmin email and password via config.json or environment variables and to run a login script, but gives no clear guidance on secure handling of those secrets. This is dangerous because credentials may be exposed in plaintext files, shell history, logs, process listings, or accidentally committed to source control, leading to account compromise and exposure of sensitive health data.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The script explicitly reads a Garmin account password from config.json when CLI arguments are absent, which encourages storage of long-lived credentials in a local file without any warning, validation of file permissions, or secure secret-management mechanism. Because this skill handles access to a fitness account and persists authentication tokens, compromise of the config file could expose both account credentials and downstream personal activity data; in this context, the issue is more dangerous because the skill automates login and calendar/training workflows around sensitive user data.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The module is designed to fetch highly sensitive health data such as sleep, HRV, heart rate, stress, and activities, then serialize the results directly to stdout as JSON. In an agent setting, stdout is commonly captured by orchestrators, logs, and other tools, so this creates a broad privacy leakage path without any visible warning, consent flow, or output minimization.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The CLI routes sensitive health metrics directly to JSON output with no privacy notice, sensitivity labeling, confirmation step, or output redaction. This creates a straightforward path for accidental disclosure through terminal history, logs, downstream tooling, or other agents consuming stdout.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The generated script will create calendar events through AppleScript without any explicit consent flow, warning, or preview step before modifying the user's calendar. In this skill's context, automatic calendar synchronization is a core feature, but silently performing system-level writes can still surprise users, create unwanted events, and normalize hidden side effects if race names or future inputs are reused in more dangerous ways.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal