ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Garmin Connect

v1.0.0

Garmin Connect integration for OpenClaw: sync fitness data (steps, HR, calories, workouts, sleep) using OAuth. Supports China (garmin.cn) and Global (garmin....

0· 40·0 current·0 all-time
by@tcyxk
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The files and scripts (garmin-auth.py, garmin-sync.py, sync_all.py, garmin_db_reader.py, etc.) match the stated purpose of syncing Garmin fitness data to a local SQLite DB and offering read/notify features. Requesting user credentials for Garmin is expected. However, some example paths reference /home/roots and claim an automatically configured systemd timer despite there being no install spec to create systemd units; that mismatch is unexplained.
!
Instruction Scope
SKILL.md instructs running garmin-auth with email and password on the command line (exposes password via process list), tells users to view ~/.garth/session.json (exposes stored credentials), and suggests using sudo systemctl commands to start/enable a timer. The scripts read and write several user-local files (~/.garth/session.json, ~/.clawdbot/garmin/data.db, ~/.clawdbot/.garmin-cache.json, feishu config files) and can enqueue/send messages to external services (Garmin and Feishu). While these actions are in-scope for a sync/notify skill, the specific guidance to pass raw passwords on the CLI and to cat the session file is insecure and should be changed.
Install Mechanism
There is no install spec (instruction-only), which minimizes installer risk. The package includes many Python scripts and a requirements.txt listing garminconnect and requests — reasonable for the functionality. However, SKILL.md claims a systemd timer is 'already configured' and to check its status, but there is no install step shown to create systemd units; that inconsistency could confuse users or lead them to run arbitrary sudo commands to create services.
!
Credentials
Registry metadata declares no required env vars, but the code expects and/or stores secrets in files (Feishu App ID/Secret saved to ~/.clawdbot/feishu_app.json or webhook config; Garmin credentials stored in ~/.garth/session.json). Garmin credentials are base64-encoded (not encrypted) before saving — weak protection. The skill suggests copying app secrets into config files rather than using properly scoped env variables or secure token stores. Requiring a full account password (and recommending CLI passing) is more access than necessary if OAuth token-based flows are available.
!
Persistence & Privilege
The skill includes background/daemon scripts (sync_daemon.py, sync_all.py) and instructs enabling a systemd timer/service (sudo systemctl enable/start). Although always:false (it won't be force-installed), these instructions encourage giving the skill a persistent system presence and system-level privileges (sudo/systemd). There is no automated installer shown to create the service safely — combined with insecure credential storage, this increases risk.
What to consider before installing
What to consider before installing or running this skill: - Purpose fit: The code matches a Garmin sync feature (local SQLite DB, read APIs, Feishu notifications). That part is coherent with the description. - Credentials: garmin-auth.py asks you to pass your Garmin email and password on the command line and stores them base64-encoded in ~/.garth/session.json. Passing passwords as CLI args leaks them to the process list; base64 is not encryption. Prefer an OAuth token flow or a method that does not require storing raw passwords. If you must use it, enter the password interactively (not on CLI) and replace base64 storage with a secure vault/encryption. - File locations and permissions: review the files it writes (~/.garth/session.json, ~/.clawdbot/garmin/data.db, feishu config files). Ensure those files are permission-restricted (600) and inspect their contents. The README and SKILL.md reference /home/roots — double-check those hard-coded paths before running as a non-root user. - systemd/service claims: SKILL.md says a systemd timer is 'already configured' but there is no installer creating it. Do not blindly run sudo systemctl enable/start commands provided by untrusted code. Inspect the repo for service unit files or create your own controlled timer. - External integrations: the skill will contact Garmin and (optionally) Feishu. Review what you save for Feishu (App ID/Secret) and use least-privilege app credentials. Be cautious about auto-sending reports — if you enable automatic notifications, verify the recipient IDs/webhooks are correct. - Audit the code: because this package is instruction-only with included scripts, read key scripts (garmin-auth.py, garmin-sync.py, sync_all.py, sync_daemon.py, and any code that sends network requests) before running. Look for any hard-coded endpoints, unexpected POST destinations, or code that executes shell commands constructed from unvalidated input. - Safer alternatives: run the sync scripts in a contained environment (dedicated non-root user, virtualenv), avoid passing passwords on the command line, replace base64 storage with an encrypted token store, and manually create any systemd timers after inspection. If you want, I can point out exact lines in garmin-auth.py and other scripts that implement insecure behaviors and suggest sanitizing changes.

Like a lobster shell, security has layers — review code before you run it.

latestvk97c4cajax2xsfbcdm69045b4n83pgh8

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments