Garminskill

What to consider before installing: - Account security: The script requires a one-time email/password login and caches OAuth tokens in ~/.garminconnect. Those tokens grant access to your Garmin account — protect the directory (file permissions) and avoid backing it up to untrusted cloud storage. - 2FA recommendation: The README says the garminconnect library does not support 2FA and instructs disabling two-step verification to use the skill. Disabling 2FA weakens your account security; weigh this tradeoff and consider using a separate Garmin account if you want to maintain MFA on your main account. - Dependency trust: The skill relies on the garminconnect and cloudscraper Python libraries. cloudscraper is explicitly used to bypass Cloudflare protections; while necessary to access the Garmin SSO endpoints, it increases the network/automation complexity. Review those libraries and the script if you have concerns about network behavior. - Installation source: The registry uses Homebrew to install uv (preferred). The README also documents curl | sh installers for uv — avoid running installers from unknown hosts unless you trust them. Prefer package manager installs from trusted repositories. - Local setup only: Setup is interactive and runs locally (uv run ...). Do not paste passwords into chat or allow remote agents to perform setup. The skill has disable-model-invocation enabled, which prevents the model from autonomously running it. - Audit if needed: If you want extra assurance, review the included script (scripts/sync_garmin.py) yourself or run it in a constrained environment. Consider creating a secondary Garmin account for testing if you don't want to alter your main account's security settings. Overall: the skill appears to do what it claims and is proportionate to its purpose, but be mindful of the explicit advice to disable 2FA and of the sensitive cached tokens it stores locally.