Garmin Connect
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill mostly matches its Garmin-sync purpose, but it asks for Garmin credentials, stores OAuth tokens, and repeatedly caches/logs sensitive health data with under-declared safeguards.
Review before installing. If you use it, avoid passing your password on the command line, protect ~/.garth/session.json and ~/.clawdbot/.garmin-cache.json, remove or change the /tmp logging, update hard-coded paths, and only enable the 5-minute cron job if you want continuous Garmin account access.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Using the skill gives local scripts access to your Garmin account and health data through a saved token; entering the password as a command-line argument can also expose it through shell history or process listings.
The skill requires Garmin account credentials and stores a reusable OAuth session token, while the registry metadata declares no primary credential. This is high-impact account access that is under-declared to installers.
python3 scripts/garmin-auth.py your-email@gmail.com your-password ... This saves your OAuth session to `~/.garth/session.json`
Declare the Garmin credential/session requirement, avoid command-line passwords, prompt securely, restrict token-file permissions, and clearly state what Garmin data is accessed.
Your health and workout data may be written every 5 minutes to a temp log path that users may not expect or protect.
The cron wrapper redirects sync output to a /tmp log. The invoked sync script prints the full JSON Garmin data, so sensitive fitness and sleep data can be repeatedly persisted outside the documented ~/.clawdbot cache location.
timeout 30 python3 scripts/garmin-sync.py > /tmp/garmin-sync.log 2>&1
Do not log full health data by default; use a private app-owned log directory with restrictive permissions, document retention, and let users opt into logging.
If a user runs this helper, it may look for or save tokens in the wrong account path or instruct authentication for the wrong email, increasing confusion around which Garmin identity is being used.
An included OAuth helper uses a developer-specific absolute session path and account email instead of the current user's home/account. That creates provenance and credential-boundary ambiguity in code that handles OAuth sessions.
client.load("/home/mamotec/.garth/session.json") ... print("garth auth moritz.vogt@vogges.de")Remove developer-specific paths and emails, use Path.home() consistently, document only user-specific placeholders, and ensure all shipped auth helpers are reviewed and portable.
The skill can keep running and refreshing health data on a schedule until the cron entry is removed.
The background cron job is disclosed and purpose-aligned, but it is persistent automation that continues accessing Garmin data after setup.
⏱️ **Real-time sync**: Every 5 minutes via cron ... */5 * * * * python3 /home/user/garmin-connect-clawdbot/scripts/garmin-sync.py ~/.clawdbot/.garmin-cache.json
Install the cron entry only if you want continuous syncing, know how to remove it, and choose an appropriate sync frequency.
Users may underestimate the sensitivity of the local token file and password-entry method.
The wording may overstate safety: the session file contains a reusable token, and the setup command takes a password as a command-line argument. The README gives a clearer warning, but SKILL.md should also disclose this risk.
This saves your OAuth session to `~/.garth/session.json` — fully local and secure.
Replace broad security claims with specific guidance: protect the token file, avoid sharing logs, avoid command-line passwords, and revoke the Garmin session if compromised.