Back to skill

Security audit

garmin-connect-skill

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real Garmin health-sync skill, but it stores sensitive credentials and health reports in risky ways and can send health data to Feishu/webhooks.

Review before installing. Use only on a trusted machine, avoid entering Garmin passwords on the command line, protect or delete ~/.garth/session.json and ~/.clawdbot health data when no longer needed, do not use the embedded Feishu credentials, and enable Feishu/webhook/timer features only after confirming exactly what health data will be sent and where.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (24)

os.system() or os exec-family call

High
Category
Dangerous Code Execution
Content
if not script_path.exists():
            return f"❌ 脚本不存在:{script_path}"

        result = os.popen(f'python3 {script_path}').read()

        if not result:
            return "❌ 暂无数据"
Confidence
92% confidence
Finding
result = os.popen(f'python3 {script_path}').read()

Tp4

High
Category
MCP Tool Poisoning
Confidence
92% confidence
Finding
The documented behavior appears broader than the declared purpose: it references background daemons, API/webhook/report delivery, queue files, and Feishu-related setup not disclosed in the top-level description. This is dangerous because users may authorize a fitness-sync skill without realizing it can also persist services, send outbound notifications, and store additional credentials, expanding both data exposure and attack surface.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The script takes sensitive Garmin-derived health data and automatically stages it for delivery to Feishu by writing report contents into a message queue file, even though the declared skill scope is only syncing and storing Garmin data locally for access. This is a real privacy/security issue because health information is being repurposed for external sharing without clear user consent, scope disclosure, access controls, or data minimization.

Description-Behavior Mismatch

Medium
Confidence
84% confidence
Finding
The file implements Feishu message delivery and report broadcasting behavior that is outside the stated Garmin Connect integration scope. Capability drift matters in agent skills because it introduces an additional exfiltration/output channel for sensitive fitness and sleep data that users may not expect from the manifest.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The setup flow claims to configure a Feishu app interactively, but it silently falls back to embedded default App ID and App Secret. Hardcoded credentials are dangerous because they can be reused by anyone with code access, may belong to the author or another tenant, and can cause unauthorized use, credential leakage, or cross-user data routing without informed consent.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The script performs actions beyond the stated Garmin sync/storage role by sending derived health reports to Feishu and persisting alerts to a local file. That scope expansion matters because the transmitted content contains sensitive health data, and users reviewing the skill metadata may not reasonably expect outbound messaging or secondary storage.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
This script transmits Garmin-derived health data to a Feishu webhook, which is broader behavior than the skill metadata describes (sync/storage). That mismatch increases the risk of unexpected exfiltration of sensitive fitness and sleep data because users may not anticipate external sharing from this skill.

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The module docstring says credentials are saved securely, but the implementation only base64-encodes the password before writing it to disk. Base64 is trivially reversible, so this misrepresents the security properties of the storage and can lead users to expose Garmin credentials on any system where the file is accessible or later exfiltrated.

Context-Inappropriate Capability

Medium
Confidence
85% confidence
Finding
The router expands a simple intent-matching skill into one that executes local Python programs, which increases the attack surface from data retrieval to code execution. In this skill context, that means any compromise of the referenced scripts or their directory turns ordinary user prompts like '睡眠' or '运动' into triggers for running attacker-controlled code.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The README explicitly advertises local storage of highly sensitive health data in SQLite and a session credential file on disk, but provides no warning about privacy, filesystem permissions, encryption, backup exposure, or credential handling. In a fitness integration skill, this materially increases the risk of accidental disclosure through weak host security, shared accounts, copied home directories, logs, or backups, especially because health data and persistent OAuth sessions are both sensitive.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The documentation instructs users to print the contents of ~/.garth/session.json directly, which can expose stored session credentials or tokens in terminal history, logs, screenshots, or shared support sessions. Because these credentials may permit access to personal health data, disclosure can lead to account compromise or unauthorized data retrieval.

Missing User Warnings

High
Confidence
99% confidence
Finding
A Feishu App Secret is hardcoded in source and then persisted to a local config file, creating direct credential exposure. Anyone who can read the repository, logs, backups, or the local config may obtain the secret and impersonate the application, abuse the Feishu API, or access/send data under that app's authority.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The script sends wellness data to Feishu without a clear, explicit disclosure at send time that personal health information is being transmitted to an external service. In a health-data context, this raises privacy and compliance concerns because users may not understand that sleep, steps, heart-rate, and workout summaries are leaving the local environment.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The code writes a health summary containing sensitive personal wellness data to a predictable plaintext file in the user's home directory without any consent check, retention control, or access restriction. On multi-user systems, shared environments, backups, or other local tooling that reads this path, this can expose private health information beyond the original SQLite store and beyond user expectations.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The webhook transmission sends a generated health report containing sleep, heart rate, stress, fitness, and activity data to an external endpoint without any runtime consent, confirmation, or destination validation. Because this is sensitive health information, silent exfiltration to a configurable webhook materially increases privacy and compliance risk.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The main execution path automatically sends sleep, step, heart-rate, calorie, and workout summary data to an external Feishu webhook without an explicit privacy notice or runtime confirmation. Because this is health-related personal data, silent transmission materially increases privacy risk, especially if the webhook was set long ago, shared, or misconfigured.

Missing User Warnings

Medium
Confidence
99% confidence
Finding
The script writes the user's Garmin password to ~/.garth/session.json in only base64-obfuscated form, which is effectively plaintext to anyone or any malware that can read the file. Although chmod 600 reduces exposure to other local users, it does not protect against local compromise, backups, syncing tools, accidental disclosure, or users who do not realize their password is being persisted to disk.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The script loads stored Garmin credentials, decrypts the password with reversible Base64, logs into a remote service, and pulls highly sensitive health data without any explicit consent prompt, privacy notice, or confirmation at execution time. In an agent/skill context, this creates a real privacy and data-handling risk because a user may trigger sync behavior without understanding that saved credentials and health telemetry will be accessed automatically.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script writes aggregated health data, including workouts, sleep, stress, HRV, and other biometric information, to a local cache file by default under the user's home directory without explicit disclosure or permission checks. This is dangerous because local persistence of sensitive health data expands exposure to other local users, backups, malware, or accidental sharing, especially when the write happens automatically.

Unpinned Dependencies

Low
Category
Supply Chain
Content
garminconnect>=0.2.38
requests>=2.28.0
python-dateutil>=2.8.2
garth>=0.5.0
Confidence
95% confidence
Finding
garminconnect>=0.2.38

Unpinned Dependencies

Low
Category
Supply Chain
Content
garminconnect>=0.2.38
requests>=2.28.0
python-dateutil>=2.8.2
garth>=0.5.0
Confidence
99% confidence
Finding
requests>=2.28.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
garminconnect>=0.2.38
requests>=2.28.0
python-dateutil>=2.8.2
garth>=0.5.0
Confidence
93% confidence
Finding
python-dateutil>=2.8.2

Unpinned Dependencies

Low
Category
Supply Chain
Content
garminconnect>=0.2.38
requests>=2.28.0
python-dateutil>=2.8.2
garth>=0.5.0
Confidence
94% confidence
Finding
garth>=0.5.0

Known Vulnerable Dependency: requests — 10 advisory(ies): CVE-2014-1830 (Exposure of Sensitive Information to an Unauthorized Actor in Requests); CVE-2024-47081 (Requests vulnerable to .netrc credentials leak via malicious URLs); CVE-2024-35195 (Requests `Session` object does not verify requests after making first request wi) +7 more

High
Category
Supply Chain
Confidence
98% confidence
Finding
requests

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.