Garmin Tracker
PassAudited by ClawScan on May 10, 2026.
Overview
This Garmin tracking skill is coherent and purpose-aligned, but it needs access to your Garmin browser session or optional Garmin credentials and stores fitness data locally.
Install only if you are comfortable letting the skill use your Garmin logged-in browser session and update garmin_tracking.json. Prefer manual browser login over password fallback, avoid optional debug dumps unless necessary, and consider pinning playwright-core in controlled environments.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may interact with your logged-in Garmin account or use credentials you provide to sign in.
The skill intentionally uses an authenticated Garmin session and may ask for Garmin username/password as a fallback. This is expected for Garmin sync, but it grants account-level access during the run.
The user signs in locally to Garmin in the browser profile used by OpenClaw... Credentials fallback only if browser login is not possible or explicitly rejected by the user.
Prefer browser/manual login mode when possible, and only use credentials fallback in a trusted environment.
Installing the dependency could introduce whatever version npm resolves at the time of installation.
The skill may require installing an unpinned npm package at runtime. Browser automation is central to the purpose, but unpinned installs can change over time.
If you get MODULE_NOT_FOUND: playwright-core, install it in the active workspace: npm install playwright-core
If you manage the environment, consider pinning playwright-core to a known version or installing it through a reviewed workspace dependency file.
If debug dumping is used, Garmin page content may be saved to a local file beyond the normal tracker file.
The sync script documents an optional debug dump of raw extracted Garmin page data. That may include more personal fitness/account page text than the final normalized JSON.
--debug-dump <path> Write raw extraction payload for parser tuning
Avoid debug dumps unless needed, store them in a private location, and delete them after troubleshooting.