Back to skill
Skillv1.0.0
ClawScan security
Garmin Trail Running Roadmap & Training Plan · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
ReviewMar 16, 2026, 4:02 AM
- Verdict
- Review
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code mostly matches its description (fetch Garmin data, generate roadbooks, sync calendar) but the package metadata omits required credentials/dependencies and the code writes persistent tokens and runs macOS calendar commands — review before installing or providing credentials.
- Guidance
- This skill appears to implement what it advertises, but the registry metadata is incomplete. Before installing or running: (1) Review the code yourself or only run in a disposable environment; (2) Be aware you must supply Garmin credentials (via env vars, CLI, or config.json) even though metadata says none — the scripts store tokens under ~/.clawdbot/garmin; treat that folder as sensitive and delete it if you revoke access; (3) Install required Python packages (garminconnect, fitparse, gpxpy) from PyPI and validate versions; (4) macOS calendar sync uses osascript and will create events — ensure you trust the generated AppleScript and permit calendar access intentionally; (5) If you prefer not to hand over your password, consider creating a dedicated Garmin account or revocable credentials and verify token handling (tokens are not persisted to a remote server in this bundle); and (6) Ask the publisher why required env vars and dependencies were omitted from the registry metadata — that mismatch is the main reason this is rated 'suspicious'.
Review Dimensions
- Purpose & Capability
- noteThe skill's code (garmin_auth, garmin_query, activity parsers, calendar sync) aligns with the stated purpose of reading Garmin data, producing analysis, and syncing calendar events. However the registry metadata claims no required env vars/credentials while the implementation requires a Garmin account (email/password or saved tokens) and optional GARMIN_* env vars — a metadata mismatch.
- Instruction Scope
- okSKILL.md and the scripts instruct the agent to read a local config.json or environment variables, call the garminconnect-based client, parse GPX/FIT files, generate HTML, and (on macOS) call osascript to write calendar events. All actions stay within the advertised functionality and do not appear to collect unrelated system data.
- Install Mechanism
- noteThis is an instruction-only skill (no install spec). The code depends on third‑party Python packages (garminconnect, fitparse, gpxpy, etc.) but these dependencies are not declared in the registry metadata or an install step — the user must install them manually. No remote download URLs or archive extraction are present in the skill bundle itself.
- Credentials
- concernThe implementation requires or supports Garmin credentials (email/password or tokenstore) and stores persistent tokens under ~/.clawdbot/garmin; it may also read env vars GARMIN_EMAIL, GARMIN_PASSWORD, GARMIN_IS_CN and writes a config.json to the skill root. The registry metadata lists no required env vars or primary credential — the omission is a meaningful inconsistency that users should be aware of before providing credentials.
- Persistence & Privilege
- noteThe skill creates persistent state: a token store directory (~/.clawdbot/garmin) and a config.json in the skill directory. It does not request always:true and does not modify other skills, but stored tokens allow future API access without re-entering the password — treat the token store like credentials and plan for secure cleanup on uninstall.