ClawHub

Garmin Skill

Security checks across malware telemetry and agentic risk

Overview

This skill is a straightforward Garmin-to-Transition API helper, but it involves personal fitness data and an API key that users should treat as sensitive.

Install only if you trust Transition with Garmin-derived fitness data and coaching prompts. Keep TRANSITION_API_KEY private, avoid putting it in shared logs or repositories, review Transition's privacy and deletion practices, and require explicit confirmation before any agent pushes a workout to Garmin.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (6)

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The README explicitly encourages users to send personalized Garmin data, training information, and AI chat prompts to a third-party API, but it does not provide a clear privacy, retention, or data-sharing warning at the point of use. Because this skill handles health and fitness data that many users may consider sensitive, the omission can lead to uninformed disclosure of personal data to an external service.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill explicitly routes sensitive health and activity data to an external AI service, but it does not disclose privacy implications, retention, third-party processing, or consent expectations. Because Garmin-derived metrics can reveal health status, habits, and location/time patterns, the lack of a clear warning materially increases privacy and compliance risk.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The setup instructions tell users to export a live API key but provide no guidance on secure storage, scoping, rotation, or avoiding accidental disclosure through shell history, logs, screenshots, or shared environments. This creates a realistic credential-handling weakness that could enable unauthorized access to the user's training and profile data.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The documentation includes a state-changing endpoint that pushes workouts to a Garmin device/account, but it does not warn users that the action modifies external state. In agent contexts, omission of this warning can cause unintended device/account changes or unsafe automation if the action is triggered without explicit confirmation.

External Transmission

Medium
Category
Data Exfiltration
Content
curl -X POST -H "X-API-Key: $TRANSITION_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{"message": "How has my running volume changed this month compared to last?"}' \
  "https://api.transition.fun/api/v1/coach/chat"

# Get your fitness/fatigue/form metrics
curl -H "X-API-Key: $TRANSITION_API_KEY" \
Confidence
87% confidence
Finding
https://api.transition.fun/

External Transmission

Medium
Category
Data Exfiltration
Content
# Get your fitness/fatigue/form metrics
curl -H "X-API-Key: $TRANSITION_API_KEY" \
  "https://api.transition.fun/api/v1/performance/pmc"
```

---
Confidence
84% confidence
Finding
https://api.transition.fun/

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal