Security audit

Garmin Connect Data Query

Security checks across malware telemetry and agentic risk

Overview

This Garmin health-data skill mostly does what it says, but it handles a sensitive account token unsafely and includes a hard-coded Garmin user ID that could query the wrong account.

Install only after reviewing the credential and account-scope risks. Treat JWT_WEB like a password, avoid putting it directly on the command line or in chat/logs, and do not use the activity query unless the hard-coded user ID is removed or replaced with the authenticated user's own ID.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (6)

Tp4

High

Category: MCP Tool Poisoning
Confidence: 94% confidence
Finding: This is dangerous because the documented purpose is limited to the user's health data, but the associated behavior reportedly also reads profile fields like displayName and email and uses a hardcoded userId to query activity records for another or specific account. In a health-data skill, undocumented access to personal profile data and queries against a fixed user identifier materially increase privacy risk and suggest the skill may retrieve data beyond what the user intended to authorize.

Description-Behavior Mismatch

Medium

Confidence: 93% confidence
Finding: The script fetches and prints profile data, including the user's email address, even though the stated purpose is querying activity and health metrics. Exposing extra personally identifiable information increases privacy risk, especially in agent/tool contexts where stdout may be logged, surfaced to other components, or shown to users who did not request that data.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The README instructs users to extract a live Garmin JWT token from browser cookies and reuse it for API access, but it does not clearly warn that this token is a sensitive bearer credential equivalent to account access. In a health-data skill, that omission is meaningful because the token can expose highly sensitive personal data such as activity, sleep, and heart-rate information if copied, stored insecurely, or shared.

Missing User Warnings

Medium

Confidence: 98% confidence
Finding: The example commands pass the JWT directly as a command-line argument, which commonly exposes secrets through shell history, process listings, audit logs, and terminal scrollback. Because the token grants access to sensitive Garmin Connect account data, this usage pattern materially increases the chance of credential leakage and unauthorized access.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The skill instructs users to manually extract a JWT from browser cookies and pass it to a script without warning that the token is a sensitive bearer credential. If shared, logged, or pasted into insecure contexts, that token can allow unauthorized access to the user's Garmin account data, including sensitive health information.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The script requires a JWT bearer token to be passed on the command line, which can expose the credential through shell history, process listings, audit logs, or job runner metadata visible to other local users or operators. In this skill context, the token grants access to sensitive personal health and activity data, so accidental disclosure can lead to unauthorized access to private Garmin Connect information.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.