Back to skill
Skillv1.0.0
VirusTotal security
garmin-connect-skill · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
ReviewMar 27, 2026, 11:06 PM
- Hash
- a5fc0e7621b448955d34801272da3a83dbbe095410cf93262171543b75bf05fc
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: garmin-connect-skill Version: 1.0.0 The skill bundle provides a functional Garmin Connect integration but exhibits several high-risk security vulnerabilities. Most notably, 'scripts/daily_health_report_feishu.py' contains a hardcoded Feishu App ID and App Secret (cli_a93b2fe33db85bce / sXYUTkNRSSBFxYTTS8UNfe7koyZwS8PB), and 'scripts/garmin-auth.py' stores user passwords in plaintext Base64 obfuscation within '~/.garth/session.json'. Additionally, 'scripts/garmin_quick_response.py' utilizes 'os.popen' for command execution, and 'scripts/sync_all.py' contains hardcoded absolute paths to a specific developer's local environment ('/Users/sq/...'). While these appear to be unintentional security flaws rather than deliberate malware, they pose a significant risk to credential confidentiality.
- External report
- View on VirusTotal