Back to skill
Skillv1.0.0
VirusTotal security
Garmin Connect · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
BenignMay 1, 2026, 3:07 AM
- Hash
- 820ffce30949c958172ea0e3ebf95f907766f972d930201ccddcfcb1d815acd5
- Source
- palm
- Verdict
- benign
- Code Insight
- Type: OpenClaw Skill Name: garmin-connect Version: 1.0.0 The OpenClaw AgentSkills skill bundle for Garmin Connect appears benign. Its primary function is to sync fitness data locally using OAuth. While `scripts/garmin-auth.py` takes the user's password as a command-line argument for initial OAuth setup (a known security risk as it can appear in process history), this is explicitly documented in `SKILL.md` and `README.md` as a one-time step to obtain an OAuth token, not to store the password itself. Minor issues include hardcoded developer paths in `scripts/garmin-cron.sh` and `scripts/garmin-auth-oauth.py`, and a developer's email used as an example in print statements within `scripts/garmin-auth-oauth.py` and `scripts/garmin-sync-oauth.py`, but these do not indicate malicious intent or significant security vulnerabilities. All network and file access is aligned with the stated purpose of syncing and caching Garmin data.
- External report
- View on VirusTotal